cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Luis Rodriguez Berzosa (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CXF-5292) Digest authentication against intermediate HTTP proxy fails when endpoint server does not use digest authentication as well
Date Fri, 20 Sep 2013 11:16:52 GMT
Luis Rodriguez Berzosa created CXF-5292:
-------------------------------------------

             Summary: Digest authentication against intermediate HTTP proxy fails when endpoint
server does not use digest authentication as well
                 Key: CXF-5292
                 URL: https://issues.apache.org/jira/browse/CXF-5292
             Project: CXF
          Issue Type: Bug
          Components: Transports
    Affects Versions: 2.7.6
            Reporter: Luis Rodriguez Berzosa
            Priority: Minor
         Attachments: StackTrace.log

When using no endpoint authentication but digest authentication in intermediate HTTP proxy,
the HTTPConduit throws an exception (attached).

After some debugging, it seems to be a bug in the following code in the org.apache.cxf.transport.http.HTTPConduit
class:

    /**
     * This call places HTTP Header strings into the headers that are relevant
     * to the Authorization policies that are set on this conduit by
     * configuration.
     * <p> 
     * An AuthorizationPolicy may also be set on the message. If so, those
     * policies are merged. A user name or password set on the messsage 
     * overrides settings in the AuthorizationPolicy is retrieved from the
     * configuration.
     * <p>
     * The precedence is as follows:
     * 1. AuthorizationPolicy that is set on the Message, if exists.
     * 2. Authorization from AuthSupplier, if exists.
     * 3. AuthorizationPolicy set/configured for conduit.
     * 
     * REVISIT: Since the AuthorizationPolicy is set on the message by class, then
     * how does one override the ProxyAuthorizationPolicy which is the same 
     * type?
     * 
     * @param message
     * @param headers
     */
    private void setHeadersByAuthorizationPolicy(
            Message message,
            URL url
    ) {
        Headers headers = new Headers(message);
        AuthorizationPolicy effectiveAuthPolicy = getEffectiveAuthPolicy(message);
        String authString = authSupplier.getAuthorization(effectiveAuthPolicy, url, message,
null);
        if (authString != null) {
            headers.setAuthorization(authString);
        }
        
        String proxyAuthString = authSupplier.getAuthorization(proxyAuthorizationPolicy, 
                                                               url, message, null);
        if (proxyAuthString != null) {
            headers.setProxyAuthorization(proxyAuthString);
        }
    }

I think that the correct code should be:

String proxyAuthString = proxyAuthSupplier.getAuthorization(proxyAuthorizationPolicy, url,
message, null);

With basic authentication for HTTP proxy, it works (luckily) as the authSupplier registered
by default is the DefaultBasicAuthSupplier.

If the final endpoint is configured to use Digest authentication, it also works due to the
fact that both proxy and endpoint authentication scheme is "artificially shared".

Anyway, I do not understand what the 
* REVISIT: Since the AuthorizationPolicy is set on the message by class, then
* how does one override the ProxyAuthorizationPolicy which is the same 
* type?
in the method javadoc means...




--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message