hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oleg Kalnichevski (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (HTTPCLIENT-1071) 400 Bad request is returned (Target Authentication)
Date Mon, 14 Mar 2011 14:56:30 GMT

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-1071?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Oleg Kalnichevski resolved HTTPCLIENT-1071.

    Resolution: Invalid

I suspected that. The authorization request generated by the Innovation.ch HTTPClient violates
RFC2617, section

--- Various considerations

   The "Method" value is the HTTP request method as specified in section
   5.1.1 of [2]. The "request-uri" value is the Request-URI from the
   request line as specified in section 5.1.2 of [2]. This may be "*",
   an "absoluteURL" or an "abs_path" as specified in section 5.1.2 of
   [2], but it MUST agree with the Request-URI. In particular, it MUST
   be an "absoluteURL" if the Request-URI is an "absoluteURL". The
   "cnonce-value" is an optional  client-chosen value whose purpose is
   to foil chosen plaintext attacks.


Request uri value in the Digest Authorization '... MUST be an "absoluteURL" if the Request-URI
is an "absoluteURL"', which is clearly not the case

GET http://renderv3.mappoint.net:80/render-30/RenderService.asmx HTTP/1.1
Host: renderv3.mappoint.net
Proxy-Connection: Keep-Alive
Connection: TE
TE: trailers, deflate, gzip, compress
User-Agent: RPT-HTTPClient/0.3-3E
Pragma: no-cache
Accept-Encoding: deflate, gzip, x-gzip, compress, x-compress
Proxy-Authorization: Basic bXV0aHUtemNpNTY4OnNhZGZzZjNy
Authorization: Digest realm="MapPoint",username="7518",uri="/render-30/RenderService.asmx",nonce="386b1170cabff277975819992100dd940a6884eb44e9f02fb50736820af2",response="12cfdb83386a255cc7329f2120b11ecc",cnonce="8d15f60bd65131c63cabc91d8702258d",qop="auth",nc="00000001"

Apparently the IIS server gets confused by the absolute request URI in the Digest authorization
request (even though the uri is perfectly OK) and rejects the request as invalid (though it
is not)

GET http://renderv3.mappoint.net/render-30/RenderService.asmx HTTP/1.1
Host: renderv3.mappoint.net
Proxy-Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1 (java 1.5)
Authorization: Digest username="7518", realm="MapPoint", nonce="f5674eeba014d98c600358992100d5829a60853da97d70f6f5000d8b8eb9",
uri="http://renderv3.mappoint.net/render-30/RenderService.asmx", response="e452c5c1d70bb8b9f5177ac1abc66b31",
qop=auth, nc=00000001, cnonce="93e6e5399da67d161b7fec8728ccd496"
Proxy-Authorization: Basic bWFuYXNhLXpjaTEzOTA6c2d1ZDhkaw==

I am not very keen on changing HttpClient's behavior as in my opinion it is fully compliant
with the requirements of the HTTP specification and the problem clearly lies with Microsoft-IIS/6.0.

You basically have two options:

(1) If you are a paying Microsoft customer try approaching Microsoft customer services with
this problem
(2) Make a local copy of DigestScheme, tweak its behavior, and use it instead of the one shipped
with HttpClient.


> 400 Bad request is returned (Target Authentication)
> ---------------------------------------------------
>                 Key: HTTPCLIENT-1071
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1071
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpAuth, HttpClient
>         Environment: WindowsXP, Java 1.5
>            Reporter: Manasa K
>              Labels: authentication, digest, proxy
>         Attachments: ApacheHTTPClient, Inno_WithProxy, InnovationHTTPClient.txt, logs_withoutProxy.txt,
> I am trying to connect a URL http://renderv3.mappoint.net/render-30/RenderService.asmx
which needs WWW-Authenticate(uses Digest Authentication). Also this should go via a Proxy(uses
Basic Authentication). This returns HTTP/1.0 400 Bad Request [Server: Microsoft-IIS/6.0, Date:
Tue, 08 Mar 2011 13:38:43 GMT, X-Cache: MISS from proxy-server8-int1, Connection: close]....
> When the request to this URL is sent directly(i.e., not going via Proxy), works perfectly.
> Also when I tried with another HTTPClient from Innovation.ch, this works. So I doubt
if there will be any trouble caused due to the proxy server.

This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message