[jira] [Commented] (AXIS2-6055) Basic Auth credentials are missing in request

["Jakob Reschke (Jira)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/AXIS2-6055?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17723078#comment-17723078 ] 

Jakob Reschke commented on AXIS2-6055:
--------------------------------------

We hit the same problem that Axis2 1.8.2 does not do preemptive authentication anymore, as described in this ticket. On top of that, HttpClient throws a NonRepeatableRequestException when it tries to do the second HTTP request with Authorization headers after receiving the initial HTTP 401 response:
{code:java}
org.apache.http.client.ClientProtocolException: null
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:187) ~[httpclient-4.5.13.jar:4.5.13]
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72) ~[httpclient-4.5.13.jar:4.5.13]
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) ~[httpclient-4.5.13.jar:4.5.13]
    at org.apache.axis2.transport.http.impl.httpclient4.RequestImpl.execute(RequestImpl.java:210) ~[axis2-transport-http-1.8.2.jar:1.8.2]
    at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:194) ~[axis2-transport-http-1.8.2.jar:1.8.2]
    at org.apache.axis2.transport.http.AbstractHTTPTransportSender.writeMessageWithCommons(AbstractHTTPTransportSender.java:386) ~[axis2-transport-http-1.8.2.jar:1.8.2]
    at org.apache.axis2.transport.http.AbstractHTTPTransportSender.invoke(AbstractHTTPTransportSender.java:214) ~[axis2-transport-http-1.8.2.jar:1.8.2]
    at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:431) ~[axis2-kernel-1.8.2.jar:1.8.2]
    at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:399) ~[axis2-kernel-1.8.2.jar:1.8.2]
    at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225) ~[axis2-kernel-1.8.2.jar:1.8.2]
    at org.apache.axis2.client.OperationClient.execute(OperationClient.java:150) ~[axis2-kernel-1.8.2.jar:1.8.2]
    [ here start the stack frames of the application code, which I cut out to not reveal details about our customer's code ]
Caused by: org.apache.http.client.NonRepeatableRequestException: Cannot retry request with a non-repeatable request entity.
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:225) ~[httpclient-4.5.13.jar:4.5.13]
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) ~[httpclient-4.5.13.jar:4.5.13]
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) ~[httpclient-4.5.13.jar:4.5.13]
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) ~[httpclient-4.5.13.jar:4.5.13]
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) ~[httpclient-4.5.13.jar:4.5.13]
    ... 45 more {code}
Since the application code does not build the request entity for the HttpClient, but Axis2 does, I do not see how to get HTTP authentication to work in the non-preemptive way.

So it looks like, out of the box, Axis2 does not do preemptive authentication, nor can it do non-preemptive authentication with HttpClient 4 at the moment.

The workaround is to force preemptive authentication with a custom HttpClient, or with custom headers as shown in the ticket description. Preemptive authentication is not a secure option everywhere (and may not even be possible for other HTTP authentication schemes), but it does not concern our use case at the moment.

If you expect the situation to persist for some time, please consider documenting the issue and the known workarounds on the Axis2 web pages.

> Basic Auth credentials are missing in request
> ---------------------------------------------
>
>                 Key: AXIS2-6055
>                 URL: https://issues.apache.org/jira/browse/AXIS2-6055
>             Project: Axis2
>          Issue Type: Bug
>          Components: TCP transport
>    Affects Versions: 1.8.0
>            Reporter: Markus I.
>            Assignee: Robert Lazarski
>            Priority: Major
>
> There is a changed behaviour between Axis2 1.7 and Axis2 1.8 when using the preemptive authentication in the HttpTransportPropertiesImpl.Authenticator.
> In Axis2 1.7 following code was used to achive this behaviour:
>  _HttpTransportPropertiesImpl.Authenticator auth = new HttpTransportPropertiesImpl.Authenticator();_
>  _List<String> authpref = new ArrayList<>();_
>  _authpref.add(AuthPolicy.BASIC);_
>  _auth.setAuthSchemes(authpref);_
>  _auth.setUsername("testUser");_
>  _auth.setPassword("testUserPassword");_
>  _auth.setPreemptiveAuthentication(true);_
>  _msgContext.setProperty(org.apache.axis2.transport.http.HTTPConstants.AUTHENTICATE, auth); //msgContext = org.apache.axis2.context.MessageContext_
> Since Axis2 1.8 the code above does not work anymore, because org.apache.axis2.transport.http.HTTPAuthenticator.getPreemptiveAuthentication() is not called anymore by the AXIS implementation. Is this an intended behaviour or a bug? We are using at the moment Axis2 1.8.2.
> The current workaround for us is to set the header directly as shown in following example:
>   _List<NamedValue> l = new ArrayList<>();_
>  _String credentials = "testUser:testUserPassword";_
>  _l.add(new NamedValue(org.apache.axis2.kernel.http.HTTPConstants.HEADER_AUTHORIZATION, "Basic " + Base64.encode(credentials.getBytes())));_
>  _msgContext.setProperty(org.apache.axis2.kernel.http.HTTPConstants.HTTP_HEADERS, l); //msgContext = org.apache.axis2.context.MessageContext_



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org