hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "F Carlsen (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HTTPCLIENT-1338) Caching of digest credentials broken when server expires nonce (regression bug)
Date Wed, 10 Apr 2013 09:16:16 GMT
F Carlsen created HTTPCLIENT-1338:

             Summary: Caching of digest credentials broken when server expires nonce  (regression
                 Key: HTTPCLIENT-1338
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1338
             Project: HttpComponents HttpClient
          Issue Type: Bug
          Components: HttpClient
    Affects Versions: 4.2.3
            Reporter: F Carlsen

In 4.2.3 caching of digest authentication is broken after server issues new nonce. 

By default (when using a new local HttpContext for each request) the client will receive a
401 before every successful 200. To avoid this, the HttpContext must be reused between requests.
This initializes the AuthCache and creates 1 DigestScheme instance, and subsequent requests
will be "pre-authenticated" based on the first returned nonce from the server.  One will then
get one 401 first with server issued nonce, then subsequent requests will make use of this
nonce to authenticate and avoid superfluous 401s.  As the BasicHttpContext is not thread-safe
it must be cached by thread if the client can issue requests on multiple threads.

So far so good,

However, when the server issues a new nonce (after it perhaps has expired or maybe been reverse
proxied over to a different server instance) then it doesn't cache the updated nonce, but
we end up trying to reuse the old one as long as we reuse an AuthCache.   So caching the nonce
from the server only works for a short while until the server decideds to change it, and thereafter
it is back to getting a 401 for every request first before it succeeds.

This happens because when it fails after nonce is expired it creates a new DigestScheme instance
inside the TargetAuthenticationStrategy, but this new instance is only cached for the ongoing
request (until 200 received) and afterwards discarded, while the reused HttpContext now has
an AuthCache which references the old DigestScheme with the original nonce from the server.
On subsequent tries we then end up reusing an  old DigestScheme instance with an out-of-date
nonce, but have no way detecting that the nonce was updated as this takes place wholly inside
AbstractHttpClient, and  it creates a new DigestScheme which isn't set in the reused HttpContext.

The result is a performance issue, as it then has to issue two http calls for every request
to succeed, even though the credentials provided are cached and available on the client.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message