[jira] Created: (CXF-3100) HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized" response

Fri, 29 Oct 2010 00:42:51 -0700 

HTTPConduit doesn't handle cookies when retransmitting in case of "401 
Unauthorized" response
---------------------------------------------------------------------------------------------

                 Key: CXF-3100
                 URL: https://issues.apache.org/jira/browse/CXF-3100
             Project: CXF
          Issue Type: Bug
          Components: Transports
            Reporter: Kevin Linke
         Attachments: HTTPConduit.java

Hello,

we are consuming a web service that requires http basic authentication and 
tries to establish a cookie-based session with the client. So the response to 
the first request is always a "401 Unauthorized" response including a 
"Set-Cookie" header, even if the first request already contains the basic 
authentication header with the correct credentials. The request is only 
accepted if both the basic authentication header and the cookie header with the 
cookie from the "401 Unauthorized" response are set. 

Calling the web service using SoapUI works fine. You can see in the log the 
initial request, the 401 reponse including the "Set-Cookie" header and the 
retransmitted request with the corresponding cookie header set, resulting in a 
successful response. Everything as expected.

When using CXF, there is an infinite loop (request -> 401 -> retransmit -> 401 
and so on) until a protocol exception is thrown (too many 
retransmits/redirects). The reason is that the expected cookie header is not 
set when retransmitting the request, even if the parameter 
"BindingProvider.SESSION_MAINTAIN_PROPERTY" is set to true.

Investigating the source code of the org.apache.cxf.transport.http.HTTPConduit 
class I found out that when retransmitting in case of 301,302 or 401 reponses 
the part of the code evaluating the "Set-Cookie" headers of the response is 
never reached, which is not correct in my opinion.

I did some changes to the org.apache.cxf.transport.http.HTTPConduit class (see 
attachment) so that it works now with the specified scenario. Is it possible to 
fix this overall issue in a future release? 

Notes:
- we are using Apache CXF 2.2.9
- soap over http (with ssl) and http basic authentication
- the modified org.apache.cxf.transport.http.HTTPConduit class is also based on 
the 2.2.9 sources
- all changes of the org.apache.cxf.transport.http.HTTPConduit class are 
labeled "// KLI:"

Thanks,
Kevin

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to