Mailing-List: contact dev-help@hc.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "HttpComponents Project" <dev@hc.apache.org>
Date: Fri, 21 Mar 2014 19:49:46 +0000 (UTC)
From: "bitfire (JIRA)" <jira@apache.org>
To: dev@hc.apache.org
Message-ID: <JIRA.12702955.1395431099580.120848.1395431386076@arcas>
In-Reply-To: <JIRA.12702955.1395431099580@arcas>
References: <JIRA.12702955.1395431099580@arcas>
Subject: [jira] [Updated] (HTTPCLIENT-1489) Multiple, comma-separated
 challenges in WWW-Authenticate are not recognized
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


     [ https://issues.apache.org/jira/browse/HTTPCLIENT-1489?page=3Dcom.atl=
assian.jira.plugin.system.issuetabpanels:all-tabpanel ]

bitfire updated HTTPCLIENT-1489:
--------------------------------

    Description:=20
As per RFC 2616, WWW-Authenticate may contain more than one challenge:
=C2=BBUser agents are advised to take special care in parsing the WWW- Auth=
enticate field value as it might contain more than one challenge, or if mor=
e than one WWW-Authenticate header field is provided, the contents of a cha=
llenge itself can contain a comma-separated list of authentication paramete=
rs.=C2=AB [https://tools.ietf.org/html/rfc2616#section-14.47]

For instance, https://contacts.icloud.com returns such a WWW-Authenticate h=
eader:

> GET / HTTP/1.1
> Host: contacts.icloud.com
> Accept: */*
>=20
< HTTP/1.1 401 Unauthorized
< ...
< WWW-Authenticate: X-MobileMe-AuthToken realm=3D"Newcastle", Basic realm=
=3D"Newcastle"

The X-MobileMe-AuthToken challenge is recognized by HttpClient, but the Bas=
ic challenge is not. HttpClient logs when sending a GET request to https://=
contacts.icloud.com:

[DEBUG] headers - http-outgoing-0 << HTTP/1.1 401 Unauthorized
[DEBUG] headers - http-outgoing-0 << Date: Fri, 21 Mar 2014 19:20:14 GMT
[DEBUG] headers - http-outgoing-0 << X-Apple-Request-UUID: d1d0aa7d-d651-4d=
a2-be9f-595f1619db85
[DEBUG] headers - http-outgoing-0 << X-Responding-Instance: carddav:1210070=
1:st13p21ic-quav11230703:8001:14B52:125783
[DEBUG] headers - http-outgoing-0 << WWW-Authenticate: X-MobileMe-AuthToken=
 realm=3D"Newcastle", Basic realm=3D"Newcastle"
[DEBUG] headers - http-outgoing-0 << Content-Length: 0
[DEBUG] MainClientExec - Connection can be kept alive indefinitely
[DEBUG] HttpAuthenticator - Authentication required
[DEBUG] HttpAuthenticator - contacts.icloud.com:443 requested authenticatio=
n
[INFO] TargetAuthenticationStrategy - GOT Auth header: X-MobileMe-AuthToken=
 realm=3D"Newcastle", Basic realm=3D"Newcastle"
[DEBUG] TargetAuthenticationStrategy - Authentication schemes in the order =
of preference: [negotiate, Kerberos, NTLM, Digest, Basic]
[DEBUG] TargetAuthenticationStrategy - Challenge for negotiate authenticati=
on scheme not available
[DEBUG] TargetAuthenticationStrategy - Challenge for Kerberos authenticatio=
n scheme not available
[DEBUG] TargetAuthenticationStrategy - Challenge for NTLM authentication sc=
heme not available
[DEBUG] TargetAuthenticationStrategy - Challenge for Digest authentication =
scheme not available
[DEBUG] TargetAuthenticationStrategy - Challenge for Basic authentication s=
cheme not available

The Basic auth challenge is NOT recognized!

Reason: org.apache.http.impl.client.AuthenticationStrategyImpl:getChallenge=
s iterates through the WWW-Authenticate HEADERS but doesn't take account th=
at a single header may contain multiple challenges.

How to fix:
Split and prase the WWW-Authenticate header correctly in org.apache.http.im=
pl.client.AuthenticationStrategyImpl:getChallenges=20

  was:
As per RFC 2616, WWW-Authenticate may contain more than one challenge:
=C2=BBUser agents are advised to take special care in parsing the WWW- Auth=
enticate field value as it might contain more than one challenge, or if mor=
e than one WWW-Authenticate header field is provided, the contents of a cha=
llenge itself can contain a comma-separated list of authentication paramete=
rs.=C2=AB [https://tools.ietf.org/html/rfc2616#section-14.47]

For instance, https://contacts.icloud.com returns such a WWW-Authenticate h=
eader:

> GET / HTTP/1.1
> Host: contacts.icloud.com
> Accept: */*
>=20
< HTTP/1.1 401 Unauthorized
< ...
< WWW-Authenticate: X-MobileMe-AuthToken realm=3D"Newcastle", Basic realm=
=3D"Newcastle"

The X-MobileMe-AuthToken challenge is recognized by HttpClient, but the Bas=
ic challenge is not. HttpClient logs when sending a GET request to https://=
contacts.icloud.com:

[DEBUG] headers - http-outgoing-0 << HTTP/1.1 401 Unauthorized
[DEBUG] headers - http-outgoing-0 << Date: Fri, 21 Mar 2014 19:20:14 GMT
[DEBUG] headers - http-outgoing-0 << X-Apple-Request-UUID: d1d0aa7d-d651-4d=
a2-be9f-595f1619db85
[DEBUG] headers - http-outgoing-0 << X-Responding-Instance: carddav:1210070=
1:st13p21ic-quav11230703:8001:14B52:125783
[DEBUG] headers - http-outgoing-0 << WWW-Authenticate: X-MobileMe-AuthToken=
 realm=3D"Newcastle", Basic realm=3D"Newcastle"
[DEBUG] headers - http-outgoing-0 << Content-Length: 0
[DEBUG] MainClientExec - Connection can be kept alive indefinitely
[DEBUG] HttpAuthenticator - Authentication required
[DEBUG] HttpAuthenticator - contacts.icloud.com:443 requested authenticatio=
n
[INFO] TargetAuthenticationStrategy - GOT Auth header: X-MobileMe-AuthToken=
 realm=3D"Newcastle", Basic realm=3D"Newcastle"
[DEBUG] TargetAuthenticationStrategy - Authentication schemes in the order =
of preference: [negotiate, Kerberos, NTLM, Digest, Basic]
[DEBUG] TargetAuthenticationStrategy - Challenge for negotiate authenticati=
on scheme not available
[DEBUG] TargetAuthenticationStrategy - Challenge for Kerberos authenticatio=
n scheme not available
[DEBUG] TargetAuthenticationStrategy - Challenge for NTLM authentication sc=
heme not available
[DEBUG] TargetAuthenticationStrategy - Challenge for Digest authentication =
scheme not available
[DEBUG] TargetAuthenticationStrategy - Challenge for Basic authentication s=
cheme not available

The Basic auth scheme is NOT recognized!

Reason: org.apache.http.impl.client.AuthenticationStrategyImpl:getChallenge=
s iterates through the WWW-Authenticate HEADERS but doesn't take account th=
at a single header may contain multiple challenges.

How to fix:
Split and prase the WWW-Authenticate header correctly in org.apache.http.im=
pl.client.AuthenticationStrategyImpl:getChallenges=20


> Multiple, comma-separated challenges in WWW-Authenticate are not recogniz=
ed
> -------------------------------------------------------------------------=
--
>
>                 Key: HTTPCLIENT-1489
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-148=
9
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.3.3
>            Reporter: bitfire
>              Labels: authentication, parsing
>
> As per RFC 2616, WWW-Authenticate may contain more than one challenge:
> =C2=BBUser agents are advised to take special care in parsing the WWW- Au=
thenticate field value as it might contain more than one challenge, or if m=
ore than one WWW-Authenticate header field is provided, the contents of a c=
hallenge itself can contain a comma-separated list of authentication parame=
ters.=C2=AB [https://tools.ietf.org/html/rfc2616#section-14.47]
> For instance, https://contacts.icloud.com returns such a WWW-Authenticate=
 header:
> > GET / HTTP/1.1
> > Host: contacts.icloud.com
> > Accept: */*
> >=20
> < HTTP/1.1 401 Unauthorized
> < ...
> < WWW-Authenticate: X-MobileMe-AuthToken realm=3D"Newcastle", Basic realm=
=3D"Newcastle"
> The X-MobileMe-AuthToken challenge is recognized by HttpClient, but the B=
asic challenge is not. HttpClient logs when sending a GET request to https:=
//contacts.icloud.com:
> [DEBUG] headers - http-outgoing-0 << HTTP/1.1 401 Unauthorized
> [DEBUG] headers - http-outgoing-0 << Date: Fri, 21 Mar 2014 19:20:14 GMT
> [DEBUG] headers - http-outgoing-0 << X-Apple-Request-UUID: d1d0aa7d-d651-=
4da2-be9f-595f1619db85
> [DEBUG] headers - http-outgoing-0 << X-Responding-Instance: carddav:12100=
701:st13p21ic-quav11230703:8001:14B52:125783
> [DEBUG] headers - http-outgoing-0 << WWW-Authenticate: X-MobileMe-AuthTok=
en realm=3D"Newcastle", Basic realm=3D"Newcastle"
> [DEBUG] headers - http-outgoing-0 << Content-Length: 0
> [DEBUG] MainClientExec - Connection can be kept alive indefinitely
> [DEBUG] HttpAuthenticator - Authentication required
> [DEBUG] HttpAuthenticator - contacts.icloud.com:443 requested authenticat=
ion
> [INFO] TargetAuthenticationStrategy - GOT Auth header: X-MobileMe-AuthTok=
en realm=3D"Newcastle", Basic realm=3D"Newcastle"
> [DEBUG] TargetAuthenticationStrategy - Authentication schemes in the orde=
r of preference: [negotiate, Kerberos, NTLM, Digest, Basic]
> [DEBUG] TargetAuthenticationStrategy - Challenge for negotiate authentica=
tion scheme not available
> [DEBUG] TargetAuthenticationStrategy - Challenge for Kerberos authenticat=
ion scheme not available
> [DEBUG] TargetAuthenticationStrategy - Challenge for NTLM authentication =
scheme not available
> [DEBUG] TargetAuthenticationStrategy - Challenge for Digest authenticatio=
n scheme not available
> [DEBUG] TargetAuthenticationStrategy - Challenge for Basic authentication=
 scheme not available
> The Basic auth challenge is NOT recognized!
> Reason: org.apache.http.impl.client.AuthenticationStrategyImpl:getChallen=
ges iterates through the WWW-Authenticate HEADERS but doesn't take account =
that a single header may contain multiple challenges.
> How to fix:
> Split and prase the WWW-Authenticate header correctly in org.apache.http.=
impl.client.AuthenticationStrategyImpl:getChallenges=20


--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org