[
https://issues.apache.org/jira/browse/HTTPCLIENT-2393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18016767#comment-18016767
]
Gary D. Gregory edited comment on HTTPCLIENT-2393 at 8/28/25 12:23 PM:
-----------------------------------------------------------------------
Hello [~andyypsilon]
In https://datatracker.ietf.org/doc/html/rfc7616, I read:
{quote}
For historical reasons, a sender MUST only generate the quoted string
syntax for the following parameters: nextnonce, rspauth, and cnonce.
{quote}
[~arturobernalg]?
was (Author: garydgregory):
Hello [~andyypsilon]
In https://datatracker.ietf.org/doc/html/rfc7616, I read:
{quote}
For historical reasons, a sender MUST only generate the quoted string
syntax for the following parameters: nextnonce, rspauth, and cnonce.
{quote}
> Authorization header contains rspauth
> -------------------------------------
>
> Key: HTTPCLIENT-2393
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2393
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic)
> Reporter: Andreas Knops
> Priority: Major
>
> After upgrading to HttpClient 5, one of our services stopped working with
> Digest Authentication.
> We traced this to a recent change where the client now includes an rspauth
> parameter in the Authorization header during the authentication request.
> https://github.com/apache/httpcomponents-client/pull/594
> Is this behaviour in HttpClient 5 intentional and correct according to the
> Digest Authentication specification?
> According to our reading of RFC 7616, rspauth is generated by the server and
> sent in the Authentication-Info header — not calculated or sent by the client
> in the Authorization header. Based on this, we would have expected the client
> never to send rspauth.
> h4. Minimal reproducible example:
> {code:java}
> String urlPattern = "http://httpbin.org/digest-auth/auth/{0}/{1}";;
> String user = "myUser";
> String pwd = "myPassword";
> String url = MessageFormat.format(urlPattern, user, pwd);
> BasicCredentialsProvider credsProvider = new BasicCredentialsProvider();
> AuthScope anyScope = new AuthScope(null, null, -1, null, null);
> var credentials = new UsernamePasswordCredentials(user, pwd.toCharArray());
> credsProvider.setCredentials(anyScope, credentials);
> try (CloseableHttpClient httpclient = HttpClients.custom()
> .setDefaultCredentialsProvider(credsProvider)
> .build()){
> HttpGet httpget = new HttpGet(url);
> httpclient.execute(httpget, new BasicHttpClientResponseHandler());
> }{code}
> h4. Log output:
> {{14:42:52.888 DEBUG org.apache.hc.client5.http.headers — http-outgoing-0 >>
> GET /digest-auth/auth/myUser/myPassword HTTP/1.1}}
> {{...}}
> {{14:42:59.793 DEBUG org.apache.hc.client5.http.headers — http-outgoing-0 <<
> HTTP/1.1 401 UNAUTHORIZED}}
> {{...}}
> {{14:42:59.793 DEBUG org.apache.hc.client5.http.headers — http-outgoing-0 <<
> WWW-Authenticate: Digest realm="[email protected]",
> nonce="09e5c615468a6399e864f90c760fcb38", qop="auth",
> opaque="1ce2920b3602651c3ccbc3cc5b999db7", algorithm=MD5, stale=FALSE}}
> {{...}}
> {{14:42:59.812 DEBUG org.apache.hc.client5.http.headers — http-outgoing-0 >>
> GET /digest-auth/auth/myUser/myPassword HTTP/1.1}}
> *{{14:42:59.812 DEBUG org.apache.hc.client5.http.headers — http-outgoing-0 >>
> Authorization: Digest username="myUser", realm="[email protected]",
> nonce="09e5c615468a6399e864f90c760fcb38",
> uri="/digest-auth/auth/myUser/myPassword",
> response="ac4314896b80485aaaeb385332d7d313", qop=auth, nc=00000001,
> cnonce="5c8c75560f7e62157d1c34b12158a770",
> {color:#de350b}rspauth="0f0cb5f8cd0e5d5c0386588543a20c67"{color},
> algorithm=MD5, opaque="1ce2920b3602651c3ccbc3cc5b999db7"}}*
> {{...}}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
