cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christof Harnischmacher (JIRA)" <>
Subject [jira] Updated: (CXF-2100) Digest auth is broken
Date Tue, 10 Mar 2009 14:00:51 GMT


Christof Harnischmacher updated CXF-2100:

    Affects Version/s: 2.1.4

> Digest auth is broken
> ---------------------
>                 Key: CXF-2100
>                 URL:
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 2.1.4, 2.2
>            Reporter: Christof Harnischmacher
>         Attachments: digest-auth.patch
> When trying to connect to virtualearth webservice using cxf I found some issues
> in the cxf-rt-transports-http artifact regarding digest authentication
> 1) "authSupplier" configuration option is missing in org.apache.cxf.transport
> .http.spring.HttpConduitBeanDefinitionParser#mapSpecificElements, so it's not
> possible to configure a DigestAuthSupplier via cxf.xml.
> 2) In org.apache.cxf.transport.http.DigestAuthSupplier the method getPassword
> returns the username and vice versa.
> 3) In org.apache.cxf.transport.http.DigestAuthSupplier the 'opaque' field is
> always send to server even it was NULL, which results in 'opaque="null"'.
> RFC 2069 says:
> opaque
>   A string of data, specified by the server, which should be
>   returned by the client unchanged.  It is recommended that this
>   string be base64 or hexadecimal data.  This field is a
>   "quoted-string" as specified in section 2.2 of the HTTP/1.1
>   specification [2].
> So I think the correct handling is to skip the opaque field, when no opaque-field
> was sent by the server.
> 4) After a while the nonce may become stale, so a new digest has to be created.
> To achieve that, every request against an digest authenticated server needs to be
> cached and chunking has to be disabled to replay the request whith recalculated
> digest.
> 5) org.apache.cxf.transport.http.HTTPConduit#setHeadersByAuthorizationPolicy: If
> an authSupplier is present and a authString was generated, the method should return
> even when the authString is NULL, instead of creating a basic auth authorization
> header.
> I included patches, which allow me to connect against virtualearth token service.
> The wsdl can be found here:,
> but you have to be authenticated to get it.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message