hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Harald Kirsch (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1129) Redirect and Kerberos authentication in conflict
Date Thu, 06 Oct 2011 15:22:29 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13122000#comment-13122000
] 

Harald Kirsch commented on HTTPCLIENT-1129:
-------------------------------------------

Well, I am not the expert on kerberos and HTTP and all that, but from the groud up, HTTP is
stateless. Consequently the client must, in every request, send authenticating information
of some kind, or will get a 401. 

When the client succeeds with authentication, it gets a redirect.

Then it sends a new GET to the redirect address, but as we see from the logs, it does not
send any authorization information. The header

  Authorization: Negotiate YIIK7gYGK...

is *not* send, but I would expect this to be the case. Whether the same authentication string
is allowed for the now different URL is beyond my knowledge. 

Harald.

                
> Redirect and Kerberos authentication in conflict
> ------------------------------------------------
>
>                 Key: HTTPCLIENT-1129
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1129
>             Project: HttpComponents HttpClient
>          Issue Type: Wish
>          Components: HttpClient
>    Affects Versions: 4.1.2
>            Reporter: Harald Kirsch
>         Attachments: examples.txt, logFrom401Example.txt, this_also_works.log, this_works.log,
wiresharkFrom401.txt
>
>
> We are using the HttpClient to connect to a Website that uses Kerberos-Authentication.
> Beware this trigger word: Kerberos! I think this is *not* the problem, but please read
on.
> Here is the sequence of events:
> Client: GET /
> Server: Unauthorized.
> Client: GET / and includes authentication.
> Server: 302 to /something on the same host (this shows that in principle authentication
works)
> Client: GET /something,  does not include authentication
> Server: Unauthorized
> Client quits with 401-Unauthorized.
> I would have expected one of the following instead:
> 1) Client immediately sends authorization information with the redirected GET /something
> 2) Client re-requests the /something with authorization after 401-Unauthorized.
> We could get around the problem by setting the ConnectionReuseStrategy to a constant
false.
> It would be great if someone could tell me if HttpClient works as expected or whether
there is a bug or misconfiguration lurking.
> Thanks,
> Harald.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message