cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Willem Jiang (JIRA)" <>
Subject [jira] Assigned: (CXF-3100) HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized" response
Date Wed, 03 Nov 2010 05:08:27 GMT


Willem Jiang reassigned CXF-3100:

    Assignee: Willem Jiang

> HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized"
> ---------------------------------------------------------------------------------------------
>                 Key: CXF-3100
>                 URL:
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>            Reporter: Kevin Linke
>            Assignee: Willem Jiang
>         Attachments:
> Hello,
> we are consuming a web service that requires http basic authentication and tries to establish
a cookie-based session with the client. So the response to the first request is always a "401
Unauthorized" response including a "Set-Cookie" header, even if the first request already
contains the basic authentication header with the correct credentials. The request is only
accepted if both the basic authentication header and the cookie header with the cookie from
the "401 Unauthorized" response are set. 
> Calling the web service using SoapUI works fine. You can see in the log the initial request,
the 401 reponse including the "Set-Cookie" header and the retransmitted request with the corresponding
cookie header set, resulting in a successful response. Everything as expected.
> When using CXF, there is an infinite loop (request -> 401 -> retransmit -> 401
and so on) until a protocol exception is thrown (too many retransmits/redirects). The reason
is that the expected cookie header is not set when retransmitting the request, even if the
parameter "BindingProvider.SESSION_MAINTAIN_PROPERTY" is set to true.
> Investigating the source code of the org.apache.cxf.transport.http.HTTPConduit class
I found out that when retransmitting in case of 301,302 or 401 reponses the part of the code
evaluating the "Set-Cookie" headers of the response is never reached, which is not correct
in my opinion.
> I did some changes to the org.apache.cxf.transport.http.HTTPConduit class (see attachment)
so that it works now with the specified scenario. Is it possible to fix this overall issue
in a future release? 
> Notes:
> - we are using Apache CXF 2.2.9
> - soap over http (with ssl) and http basic authentication
> - the modified org.apache.cxf.transport.http.HTTPConduit class is also based on the 2.2.9
> - all changes of the org.apache.cxf.transport.http.HTTPConduit class are labeled "//
> Thanks,
> Kevin

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message