cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christof Harnischmacher (JIRA)" <j...@apache.org>
Subject [jira] Updated: (CXF-2100) Digest auth is broken
Date Tue, 10 Mar 2009 14:00:50 GMT

     [ https://issues.apache.org/jira/browse/CXF-2100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Christof Harnischmacher updated CXF-2100:
-----------------------------------------

    Attachment: digest-auth.patch

Added patches.

> Digest auth is broken
> ---------------------
>
>                 Key: CXF-2100
>                 URL: https://issues.apache.org/jira/browse/CXF-2100
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 2.1.4, 2.2
>            Reporter: Christof Harnischmacher
>         Attachments: digest-auth.patch
>
>
> When trying to connect to virtualearth webservice using cxf I found some issues
> in the cxf-rt-transports-http artifact regarding digest authentication
> 1) "authSupplier" configuration option is missing in org.apache.cxf.transport
> .http.spring.HttpConduitBeanDefinitionParser#mapSpecificElements, so it's not
> possible to configure a DigestAuthSupplier via cxf.xml.
> 2) In org.apache.cxf.transport.http.DigestAuthSupplier the method getPassword
> returns the username and vice versa.
> 3) In org.apache.cxf.transport.http.DigestAuthSupplier the 'opaque' field is
> always send to server even it was NULL, which results in 'opaque="null"'.
> RFC 2069 says:
> opaque
>   A string of data, specified by the server, which should be
>   returned by the client unchanged.  It is recommended that this
>   string be base64 or hexadecimal data.  This field is a
>   "quoted-string" as specified in section 2.2 of the HTTP/1.1
>   specification [2].
> So I think the correct handling is to skip the opaque field, when no opaque-field
> was sent by the server.
> 4) After a while the nonce may become stale, so a new digest has to be created.
> To achieve that, every request against an digest authenticated server needs to be
> cached and chunking has to be disabled to replay the request whith recalculated
> digest.
> 5) org.apache.cxf.transport.http.HTTPConduit#setHeadersByAuthorizationPolicy: If
> an authSupplier is present and a authString was generated, the method should return
> even when the authString is NULL, instead of creating a basic auth authorization
> header.
> I included patches, which allow me to connect against virtualearth token service.
> The wsdl can be found here: https://staging.common.virtualearth.net/find-30/common.asmx?WSDL,
> but you have to be authenticated to get it.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message