hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oleg Kalnichevski (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (HTTPCLIENT-1338) Caching of digest credentials broken when server expires nonce (regression bug)
Date Mon, 15 Apr 2013 10:28:15 GMT

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-1338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Oleg Kalnichevski resolved HTTPCLIENT-1338.
-------------------------------------------

       Resolution: Fixed
    Fix Version/s: 4.2.5

Fixed in SVN trunk and 4.2.x branch. Please re-test / review.

Oleg
                
> Caching of digest credentials broken when server expires nonce  (regression bug)
> --------------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1338
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1338
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.2.4, 4.3 Beta1
>            Reporter: F Carlsen
>              Labels: digest, performance, regression
>             Fix For: 4.2.5, 4.3 Beta2
>
>         Attachments: 4.1.3.txt, 4.2.3.txt
>
>
> In 4.2.3 caching of digest authentication is broken after server issues new nonce. 
> By default (when using a new local HttpContext for each request) the client will receive
a 401 before every successful 200. To avoid this, the HttpContext must be reused between requests.
This initializes the AuthCache and creates 1 DigestScheme instance, and subsequent requests
will be "pre-authenticated" based on the first returned nonce from the server.  One will then
get one 401 first with server issued nonce, then subsequent requests will make use of this
nonce to authenticate and avoid superfluous 401s.  As the BasicHttpContext is not thread-safe
it must be cached by thread if the client can issue requests on multiple threads.
> So far so good,
> However, when the server issues a new nonce (after it perhaps has expired or maybe been
reverse proxied over to a different server instance) then it doesn't cache the updated nonce,
but we end up trying to reuse the old one as long as we reuse an AuthCache.   So caching the
nonce from the server only works for a short while until the server decideds to change it,
and thereafter it is back to getting a 401 for every request first before it succeeds.
> This happens because when it fails after nonce is expired it creates a new DigestScheme
instance inside the TargetAuthenticationStrategy, but this new instance is only cached for
the ongoing request (until 200 received) and afterwards discarded, while the reused HttpContext
now has an AuthCache which references the old DigestScheme with the original nonce from the
server. On subsequent tries we then end up reusing an  old DigestScheme instance with an out-of-date
nonce, but have no way detecting that the nonce was updated as this takes place wholly inside
AbstractHttpClient, and  it creates a new DigestScheme which isn't set in the reused HttpContext.
> The result is a performance issue, as it then has to issue two http calls for every request
to succeed, even though the credentials provided are cached and available on the client.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message