Return-Path: Delivered-To: apmail-hc-dev-archive@www.apache.org Received: (qmail 14858 invoked from network); 14 Mar 2011 14:56:56 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 14 Mar 2011 14:56:56 -0000 Received: (qmail 61701 invoked by uid 500); 14 Mar 2011 14:56:56 -0000 Delivered-To: apmail-hc-dev-archive@hc.apache.org Received: (qmail 61655 invoked by uid 500); 14 Mar 2011 14:56:56 -0000 Mailing-List: contact dev-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpComponents Project" Delivered-To: mailing list dev@hc.apache.org Received: (qmail 61647 invoked by uid 99); 14 Mar 2011 14:56:56 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 14 Mar 2011 14:56:56 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 14 Mar 2011 14:56:52 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id 0CB753A89C0 for ; Mon, 14 Mar 2011 14:56:30 +0000 (UTC) Date: Mon, 14 Mar 2011 14:56:30 +0000 (UTC) From: "Oleg Kalnichevski (JIRA)" To: dev@hc.apache.org Message-ID: <490789589.895.1300114590048.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <1099902130.404.1300098749558.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] Resolved: (HTTPCLIENT-1071) 400 Bad request is returned (Target Authentication) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/HTTPCLIENT-1071?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Oleg Kalnichevski resolved HTTPCLIENT-1071. ------------------------------------------- Resolution: Invalid I suspected that. The authorization request generated by the Innovation.ch HTTPClient violates RFC2617, section 3.2.2.5 --- 3.2.2.5 Various considerations The "Method" value is the HTTP request method as specified in section 5.1.1 of [2]. The "request-uri" value is the Request-URI from the request line as specified in section 5.1.2 of [2]. This may be "*", an "absoluteURL" or an "abs_path" as specified in section 5.1.2 of [2], but it MUST agree with the Request-URI. In particular, it MUST be an "absoluteURL" if the Request-URI is an "absoluteURL". The "cnonce-value" is an optional client-chosen value whose purpose is to foil chosen plaintext attacks. --- Request uri value in the Digest Authorization '... MUST be an "absoluteURL" if the Request-URI is an "absoluteURL"', which is clearly not the case --- GET http://renderv3.mappoint.net:80/render-30/RenderService.asmx HTTP/1.1 Host: renderv3.mappoint.net Proxy-Connection: Keep-Alive Connection: TE TE: trailers, deflate, gzip, compress User-Agent: RPT-HTTPClient/0.3-3E Pragma: no-cache Accept-Encoding: deflate, gzip, x-gzip, compress, x-compress Proxy-Authorization: Basic bXV0aHUtemNpNTY4OnNhZGZzZjNy Authorization: Digest realm="MapPoint",username="7518",uri="/render-30/RenderService.asmx",nonce="386b1170cabff277975819992100dd940a6884eb44e9f02fb50736820af2",response="12cfdb83386a255cc7329f2120b11ecc",cnonce="8d15f60bd65131c63cabc91d8702258d",qop="auth",nc="00000001" --- Apparently the IIS server gets confused by the absolute request URI in the Digest authorization request (even though the uri is perfectly OK) and rejects the request as invalid (though it is not) --- GET http://renderv3.mappoint.net/render-30/RenderService.asmx HTTP/1.1 Host: renderv3.mappoint.net Proxy-Connection: Keep-Alive User-Agent: Apache-HttpClient/4.1 (java 1.5) Authorization: Digest username="7518", realm="MapPoint", nonce="f5674eeba014d98c600358992100d5829a60853da97d70f6f5000d8b8eb9", uri="http://renderv3.mappoint.net/render-30/RenderService.asmx", response="e452c5c1d70bb8b9f5177ac1abc66b31", qop=auth, nc=00000001, cnonce="93e6e5399da67d161b7fec8728ccd496" Proxy-Authorization: Basic bWFuYXNhLXpjaTEzOTA6c2d1ZDhkaw== --- I am not very keen on changing HttpClient's behavior as in my opinion it is fully compliant with the requirements of the HTTP specification and the problem clearly lies with Microsoft-IIS/6.0. You basically have two options: (1) If you are a paying Microsoft customer try approaching Microsoft customer services with this problem (2) Make a local copy of DigestScheme, tweak its behavior, and use it instead of the one shipped with HttpClient. Oleg > 400 Bad request is returned (Target Authentication) > --------------------------------------------------- > > Key: HTTPCLIENT-1071 > URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1071 > Project: HttpComponents HttpClient > Issue Type: Bug > Components: HttpAuth, HttpClient > Environment: WindowsXP, Java 1.5 > Reporter: Manasa K > Labels: authentication, digest, proxy > Attachments: ApacheHTTPClient, Inno_WithProxy, InnovationHTTPClient.txt, logs_withoutProxy.txt, logstosend_withProxy.txt > > > I am trying to connect a URL http://renderv3.mappoint.net/render-30/RenderService.asmx which needs WWW-Authenticate(uses Digest Authentication). Also this should go via a Proxy(uses Basic Authentication). This returns HTTP/1.0 400 Bad Request [Server: Microsoft-IIS/6.0, Date: Tue, 08 Mar 2011 13:38:43 GMT, X-Cache: MISS from proxy-server8-int1, Connection: close].... > When the request to this URL is sent directly(i.e., not going via Proxy), works perfectly. > Also when I tried with another HTTPClient from Innovation.ch, this works. So I doubt if there will be any trouble caused due to the proxy server. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org For additional commands, e-mail: dev-help@hc.apache.org