[
https://issues.apache.org/jira/browse/CXF-7170?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Silvan Hollenstein updated CXF-7170:
Description:
When the authorization type "Digest" is chosen, and the server responds with a
401 and multiple WWW-Authenticate headers, this will most probably lead to an
error.
Define Digest to be your authentication method:
...
AuthorizationPolicy authPolicy = new AuthorizationPolicy();
authPolicy.setAuthorizationType("Digest");
...
The HTTPConduit will then create a DigestAuthSupplier. In...
--
DigestAuthSupplier.getAuthorization(...) {
...
HttpAuthHeader authHeader = new HttpAuthHeader(fullHeader);
if (authHeader.authTypeIsDigest()) {
...
}
}
--
fullHeader will be (because two headers):
'Basic realm="...", Digest realm="...", nonce="0058a704Y936...", stale=FALSE,
qop="auth"'
the authHeader will have the "Basic", because it is the first in fullHeader.
But this does not match of course with authHeader.authTypeIsDigest(), and then
it will return null.
The actual wrong thing is, imo, that the fullHeader is concatenated, instead of
choosing the one auth header that matches the method we have defined. Maybe
HttpAuthHeader should hold a list of headers instead of concatenating them.
Furthermore, it would be nice when the suppliers were chosen automatically,
based on what authentication methods the server offers.
was:
When the authorization type "Digest" is chosen, and the server responds with a
401 and multiple WWW-Authenticate headers, this will most probably lead to an
error.
Define Digest to be your authentication method:
...
AuthorizationPolicy authPolicy = new AuthorizationPolicy();
authPolicy.setAuthorizationType("Digest");
...
The HTTPConduit will then create a DigestAuthSupplier. In...
DigestAuthSupplier.getAuthorization(...) {
...
HttpAuthHeader authHeader = new HttpAuthHeader(fullHeader);
if (authHeader.authTypeIsDigest()) {
...
}
}
the authHeader will have the "Basic", because it is the first in fullHeader.
But this does not match of course with authHeader.authTypeIsDigest(), and then
it will return null.
The actual wrong thing is, imo, that the fullHeader is concatenated, instead of
choosing the one auth header that matches the method we have defined.
Furthermore, it would be nice when the suppliers were chosen automatically,
based on what authentication methods the server offers.
> Support Multiple WWW-Authenticate Headers
> -
>
> Key: CXF-7170
> URL: https://issues.apache.org/jira/browse/CXF-7170
> Project: CXF
> Issue Type: Bug
> Components: Transports
>Affects Versions: 3.1.8
>Reporter: Silvan Hollenstein
>
> When the authorization type "Digest" is chosen, and the server responds with
> a 401 and multiple WWW-Authenticate headers, this will most probably lead to
> an error.
> Define Digest to be your authentication method:
> ...
> AuthorizationPolicy authPolicy = new AuthorizationPolicy();
> authPolicy.setAuthorizationType("Digest");
> ...
> The HTTPConduit will then create a DigestAuthSupplier. In...
> --
> DigestAuthSupplier.getAuthorization(...) {
> ...
> HttpAuthHeader authHeader = new HttpAuthHeader(fullHeader);
> if (authHeader.authTypeIsDigest()) {
> ...
> }
> }
> --
> fullHeader will be (because two headers):
> 'Basic realm="...", Digest realm="...", nonce="0058a704Y936...", stale=FALSE,
> qop="auth"'
> the authHeader will have the "Basic", because it is the first in fullHeader.
> But this does not match of course with authHeader.authTypeIsDigest(), and
> then it will return null.
> The actual wrong thing is, imo, that the fullHeader is concatenated, instead
> of choosing the one auth header that matches the method we have defined.
> Maybe HttpAuthHeader should hold a list of headers instead of concatenating
> them.
> Furthermore, it would be nice when the suppliers were chosen automatically,
> based on what authentication methods the server offers.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
