[
https://issues.apache.org/jira/browse/CXF-3100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12932405#action_12932405
]
Kevin Linke commented on CXF-3100:
----------------------------------
Hi Willem,
I found out that my first solution didn't resolve the problem completely, so I
reworked my changes and attached another version of the patched HTTPConduit
file and a corresponding diff file (both with extension .v2).
Kevin
> HTTPConduit doesn't handle cookies when retransmitting in case of "401
> Unauthorized" response
> ---------------------------------------------------------------------------------------------
>
> Key: CXF-3100
> URL: https://issues.apache.org/jira/browse/CXF-3100
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Reporter: Kevin Linke
> Assignee: Willem Jiang
> Attachments: HTTPConduit.diff, HTTPConduit.java
>
>
> Hello,
> we are consuming a web service that requires http basic authentication and
> tries to establish a cookie-based session with the client. So the response to
> the first request is always a "401 Unauthorized" response including a
> "Set-Cookie" header, even if the first request already contains the basic
> authentication header with the correct credentials. The request is only
> accepted if both the basic authentication header and the cookie header with
> the cookie from the "401 Unauthorized" response are set.
> Calling the web service using SoapUI works fine. You can see in the log the
> initial request, the 401 reponse including the "Set-Cookie" header and the
> retransmitted request with the corresponding cookie header set, resulting in
> a successful response. Everything as expected.
> When using CXF, there is an infinite loop (request -> 401 -> retransmit ->
> 401 and so on) until a protocol exception is thrown (too many
> retransmits/redirects). The reason is that the expected cookie header is not
> set when retransmitting the request, even if the parameter
> "BindingProvider.SESSION_MAINTAIN_PROPERTY" is set to true.
> Investigating the source code of the
> org.apache.cxf.transport.http.HTTPConduit class I found out that when
> retransmitting in case of 301,302 or 401 reponses the part of the code
> evaluating the "Set-Cookie" headers of the response is never reached, which
> is not correct in my opinion.
> I did some changes to the org.apache.cxf.transport.http.HTTPConduit class
> (see attachment) so that it works now with the specified scenario. Is it
> possible to fix this overall issue in a future release?
> Notes:
> - we are using Apache CXF 2.2.9
> - soap over http (with ssl) and http basic authentication
> - the modified org.apache.cxf.transport.http.HTTPConduit class is also based
> on the 2.2.9 sources
> - all changes of the org.apache.cxf.transport.http.HTTPConduit class are
> labeled "// KLI:"
> Thanks,
> Kevin
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
