hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Richard Sand (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1451) HttpClient does not store response cookies on a 401
Date Fri, 24 Jan 2014 18:05:39 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13881218#comment-13881218

Richard Sand commented on HTTPCLIENT-1451:

Hi Oleg- the web service is a commercial product, CA SiteMinder. It issues
the cookie with the 401 just as a (very) rudimentary mechanism to prevent
unsolicited authentication requests. The cookie doesn't actually convey any
data, it's just a state mechanism. I still believe the client should be able
to handle it but I can see it both ways. Anyway thanks for replying, feel
free to mark the case as (distant) future or wont-fix.

Best regards,

Richard Sand | CEO
IDF Connect, Inc.
2207 Concord Ave, #359
Wilmington | Delaware 19803 | USA
Office: +1 888 765 1611 | Fax: +1 866 765 7284
Mobile: +1 267 984 3651

> HttpClient does not store response cookies on a 401
> ---------------------------------------------------
>                 Key: HTTPCLIENT-1451
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1451
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpAuth
>    Affects Versions: 4.3.2
>            Reporter: Richard Sand
>            Priority: Minor
> Using HttpClient 4.3.2 to call a Web Service which is secured with BASIC authentication.
The server responds to the initial request with a 401 response but also includes a cookie.
> The HttpClient does not place response cookies into the cookie store until after it has
completed the subsequent request with the Authorize header, but the server rejects the authentication
if the cookie is missing. 
> To work around this I had to disable the authentication capability in the HttpClientContext
and manually check for the 401 response code, and then send a followup request with a manually
set Authorize header.
> So in the use case where the HttpClient is automatically sending a followup request with
credentials in response to a 401, the client should place the cookies from the original response
into the cookie store immediately, rather than waiting for after the response to the credentials
(the 2nd response).

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message