hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Leigh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1345) Useinfo Credentials Ignored In Redirect Location Header
Date Tue, 23 Apr 2013 13:47:16 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13639060#comment-13639060

James Leigh commented on HTTPCLIENT-1345:

http://tools.ietf.org/html/rfc1738#section-3.3 states "No user name or password is allowed"
in the HTTP URL scheme.
> Useinfo Credentials Ignored In Redirect Location Header
> -------------------------------------------------------
>                 Key: HTTPCLIENT-1345
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1345
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.2.4
>            Reporter: James Leigh
>             Fix For: 4.3 Beta2
> When HttpClient is configured to follow redirects and receives an 303 response with a

> Location header that includes userinfo, such as http://user:pass@example.com/ the username
and password are ignored.
> The expected behaviour is that if the request to the target location (without credentials)
responds with a 401, that HttpClient would use the userinfo credentials in the previous response
Location header to authenticate and store the credentials in the execution context. This is
the behaviour of most Web agents such as Chrome, Firefox, Safari, libcurl, and others.
> HttpClient should still wait for the 401 response (by default) before sending the credentials
as outlined in 1344:
> Userinfo Credentials in URI Should Not Default to Preemptive Authentication 
> https://issues.apache.org/jira/browse/HTTPCLIENT-1344

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message