[jira] [Commented] (CXF-8747) Digest authentication - support of qop="auth-int"

Wed, 10 Aug 2022 01:42:07 -0700 


    [ 
https://issues.apache.org/jira/browse/CXF-8747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17577869#comment-17577869
 ] 

Yves Piel commented on CXF-8747:
--------------------------------

Maybe the issue comes from httpcomponents-client : 
[https://github.com/apache/httpcomponents-client/blob/18fa09f6a2d760b1c8ff0debb5bc04562dfe9ee1/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/DigestScheme.java#L75]

 

Is that this client under the hood ?

> Digest authentication - support of qop="auth-int"
> -------------------------------------------------
>
>                 Key: CXF-8747
>                 URL: https://issues.apache.org/jira/browse/CXF-8747
>             Project: CXF
>          Issue Type: New Feature
>            Reporter: Yves Piel
>            Priority: Major
>
> Digest authentication has a parameter qop that can take 2 value 'auth' or 
> 'auth-int': [https://www.rfc-editor.org/rfc/rfc7616.html]
> It seems cxf only support 'auth'. We can try with 
> [https://httpbin.org/#/Auth/get_digest_auth__qop___user___passwd___algorithm_]
> {noformat}
>     @ParameterizedTest
>     @CsvSource({"auth,MD5",
>             "auth,SHA-256",
>             "auth,SHA-512",
>             "auth-int,MD5",
>             "auth-int,SHA-256",
>             "auth-int,SHA-512",})
>     public void digest(String qop, String algo){
>         String myUser = "myUser";
>         String myPassword = "myPassword";
>         WebClient client = 
> WebClient.create("https://httpbin.org/digest-auth/";)
>                 .path("{qop}/{user}/{passwd}/{algorithm}", qop, myUser, 
> myPassword, algo);
>         HTTPConduit httpConduit = 
> WebClient.getConfig(client).getHttpConduit();
>         AuthorizationPolicy digestAuthPolicy = new AuthorizationPolicy();
>         digestAuthPolicy.setUserName(myUser);
>         digestAuthPolicy.setPassword(myPassword);
>         
> digestAuthPolicy.setAuthorizationType(HttpAuthHeader.AUTH_TYPE_DIGEST);
>         httpConduit.setAuthorization(digestAuthPolicy);
>         Response response = client.invoke("GET", null);
>         System.out.println(String.format("qop=%s, algo=%s => status: %s", 
> qop, algo, response.getStatus())); // is 200 OK
>     }
> {noformat}
> That generates this output:
> {noformat}
> qop=auth, algo=MD5 => status: 200
> qop=auth, algo=SHA-256 => status: 200
> qop=auth, algo=SHA-512 => status: 200
> qop=auth-int, algo=MD5 => status: 401
> qop=auth-int, algo=SHA-256 => status: 401
> qop=auth-int, algo=SHA-512 => status: 401
> {noformat}
> It could be great to support it.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to