You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by bu...@apache.org on 2005/10/04 22:49:09 UTC
DO NOT REPLY [Bug 36918] New: -
Digest auth using CONNECT to IAS fails
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=36918>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=36918
Summary: Digest auth using CONNECT to IAS fails
Product: HttpClient
Version: 3.0 RC1
Platform: PC
OS/Version: Linux
Status: NEW
Keywords: RFC
Severity: major
Priority: P2
Component: Commons HttpClient
AssignedTo: httpclient-dev@jakarta.apache.org
ReportedBy: ender3rd@gmail.com
I'm having a problem getting httpclient-rc1 to authenticate using
digest to our IAS server. I've tried upgrading to rc3 without any
effect. I also got our IT guys to upgrade IAS without luck. I was
also able to have the GET method work under IAS and CONNECT to work
with a couple other proxy servers. After examining ethereal logs for
my (commons) code and firefox to the same URLs I noticed that the
value for the "uri" setting in the "Proxy-Authorization" header was
the only significant difference. After looking at RFC 2617 I noticed
that in section 3.2.2 (The Authorization Request Header) it states:
digest-uri
The URI from Request-URI of the Request-Line; duplicated here because
proxies are allowed to change the Request-Line in transit.
A re-examination of the headers showed that firefox was matching the Request-URI
with the digest-uri but that httpclient was not. I reproduced partial headers
below. I tried modifying the RC3 source to produce a hard-coded value for "uri"
and demonstrated that it would successfully authenticate to that URI. I also
checked that authentication would fail to any other URI and it did.
partial httpclient header (fails with 407):
CONNECT gmail.google.com:443 HTTP/1.1
Proxy-Authorization: Digest username="proxytest", realm="Digest",
nonce="503902c343c8c501057a85cea6bad2734378fb44b4cbd1970bf320637871dae85373082cf70ac254",
uri="/", response="7717d0738332a3d8e83e9102b5ead6b9", qop="auth", nc=00000001,
cnonce="583aa0469b31290dc2acd7ec6cfc98f1", algorithm="MD5-sess",
opaque="bb319760fce84856e5648d3536502d81"
partial firefox header (succeeds with 200):
CONNECT mail1.combrio.local:443 HTTP/1.1
Proxy-Authorization: Digest username="proxytest", realm="Digest",
nonce="0e61fe645ec8c5015aa3afe8cfe5219488ed473e277a8cddf8225ad66e74fd214f97d9d96ac99991",
uri="mail1.combrio.local:443", algorithm=MD5-sess,
response="bfac109287273e867531170475172ccf",
opaque="70cb2a1533b85882d0f1aa1e2ad1fbae", qop=auth, nc=00000001,
cnonce="b41aecd6e527e774"
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org