Andreas Knops created HTTPCLIENT-2393:
-----------------------------------------
Summary: Authorization header contains rspauth
Key: HTTPCLIENT-2393
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2393
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient (classic)
Reporter: Andreas Knops
After upgrading to HttpClient 5, one of our services stopped working with
Digest Authentication.
We traced this to a recent change where the client now includes an rspauth
parameter in the Authorization header during the authentication request.
[https://github.com/apache/httpcomponents-client/pull/594|https://deref-gmx.net/mail/client/_ZppoIKe6-k/dereferrer/?redirectUrl=https%3A%2F%2Fgithub.com%2Fapache%2Fhttpcomponents-client%2Fpull%2F594]
Is this behaviour in HttpClient 5 intentional and correct according to the
Digest Authentication specification?
According to our reading of RFC 7616, rspauth is generated by the server and
sent in the Authentication-Info header — not calculated or sent by the client
in the Authorization header. Based on this, we would have expected the client
never to send rspauth.
h4. Minimal reproducible example:
{code:java}
String urlPattern = "http://httpbin.org/digest-auth/auth/{0}/{1}";;
String user = "myUser";
String pwd = "myPassword";
String url = MessageFormat.format(urlPattern, user, pwd);
BasicCredentialsProvider credsProvider = new BasicCredentialsProvider();
AuthScope anyScope = new AuthScope(null, null, -1, null, null);
var credentials = new UsernamePasswordCredentials(user, pwd.toCharArray());
credsProvider.setCredentials(anyScope, credentials);
try (CloseableHttpClient httpclient = HttpClients.custom()
.setDefaultCredentialsProvider(credsProvider)
.build()){
HttpGet httpget = new HttpGet(url);
httpclient.execute(httpget, new BasicHttpClientResponseHandler());
}{code}
h4. Log output:
{{14:42:52.888 DEBUG org.apache.hc.client5.http.headers — http-outgoing-0 >>
GET /digest-auth/auth/myUser/myPassword HTTP/1.1}}
{{...}}
{{14:42:59.793 DEBUG org.apache.hc.client5.http.headers — http-outgoing-0 <<
HTTP/1.1 401 UNAUTHORIZED}}
{{...}}
{{14:42:59.793 DEBUG org.apache.hc.client5.http.headers — http-outgoing-0 <<
WWW-Authenticate: Digest realm="[email protected]",
nonce="09e5c615468a6399e864f90c760fcb38", qop="auth",
opaque="1ce2920b3602651c3ccbc3cc5b999db7", algorithm=MD5, stale=FALSE}}
{{...}}
{{14:42:59.812 DEBUG org.apache.hc.client5.http.headers — http-outgoing-0 >>
GET /digest-auth/auth/myUser/myPassword HTTP/1.1}}
{{14:42:59.812 DEBUG org.apache.hc.client5.http.headers — http-outgoing-0 >>
*Authorization: Digest username="myUser", realm="[email protected]",
nonce="09e5c615468a6399e864f90c760fcb38",
uri="/digest-auth/auth/myUser/myPassword",
response="ac4314896b80485aaaeb385332d7d313", qop=auth, nc=00000001,
cnonce="5c8c75560f7e62157d1c34b12158a770",
{color:#de350b}rspauth="0f0cb5f8cd0e5d5c0386588543a20c67"{color},
algorithm=MD5, opaque="1ce2920b3602651c3ccbc3cc5b999db7"*}}
{{...}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
