hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joseph Walton (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1489) Multiple, comma-separated challenges in WWW-Authenticate are not recognized
Date Tue, 16 Sep 2014 12:34:34 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14135368#comment-14135368
] 

Joseph Walton commented on HTTPCLIENT-1489:
-------------------------------------------

The current spec, [RFC 7235|https://tools.ietf.org/html/rfc7235], goes out of its way to [disallow
syntax extensions|https://tools.ietf.org/html/rfc7235#section-5.1.2]:

{quote}
The parsing of challenges and credentials is defined by this
      specification and cannot be modified by new authentication
      schemes.
{quote}

It also goes out of its way to at least acknowledge schemes that [include a base64-encoded
string|https://tools.ietf.org/html/rfc7235#section-2.1] in the challenge ("so that it can
hold a base64, base64url (URL and filename safe alphabet), base32, or base16 (hex) encoding,
with or without padding").

Only allowing compliant schemes to have multiple challenges seems like a good solution.


> Multiple, comma-separated challenges in WWW-Authenticate are not recognized
> ---------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1489
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1489
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.3.3
>            Reporter: bitfire
>              Labels: authentication, parsing
>             Fix For: 5.0
>
>
> As per RFC 2616, WWW-Authenticate may contain more than one challenge:
> »User agents are advised to take special care in parsing the WWW- Authenticate field
value as it might contain more than one challenge, or if more than one WWW-Authenticate header
field is provided, the contents of a challenge itself can contain a comma-separated list of
authentication parameters.« [https://tools.ietf.org/html/rfc2616#section-14.47]
> For instance, https://contacts.icloud.com returns such a WWW-Authenticate header:
> > GET / HTTP/1.1
> > Host: contacts.icloud.com
> > Accept: */*
> > 
> < HTTP/1.1 401 Unauthorized
> < ...
> < WWW-Authenticate: X-MobileMe-AuthToken realm="Newcastle", Basic realm="Newcastle"
> The X-MobileMe-AuthToken challenge is recognized by HttpClient, but the Basic challenge
is not. HttpClient logs when sending a GET request to https://contacts.icloud.com:
> [DEBUG] headers - http-outgoing-0 << HTTP/1.1 401 Unauthorized
> [DEBUG] headers - http-outgoing-0 << Date: Fri, 21 Mar 2014 19:20:14 GMT
> [DEBUG] headers - http-outgoing-0 << X-Apple-Request-UUID: d1d0aa7d-d651-4da2-be9f-595f1619db85
> [DEBUG] headers - http-outgoing-0 << X-Responding-Instance: carddav:12100701:st13p21ic-quav11230703:8001:14B52:125783
> [DEBUG] headers - http-outgoing-0 << WWW-Authenticate: X-MobileMe-AuthToken realm="Newcastle",
Basic realm="Newcastle"
> [DEBUG] headers - http-outgoing-0 << Content-Length: 0
> [DEBUG] MainClientExec - Connection can be kept alive indefinitely
> [DEBUG] HttpAuthenticator - Authentication required
> [DEBUG] HttpAuthenticator - contacts.icloud.com:443 requested authentication
> [INFO] TargetAuthenticationStrategy - GOT Auth header: X-MobileMe-AuthToken realm="Newcastle",
Basic realm="Newcastle"
> [DEBUG] TargetAuthenticationStrategy - Authentication schemes in the order of preference:
[negotiate, Kerberos, NTLM, Digest, Basic]
> [DEBUG] TargetAuthenticationStrategy - Challenge for negotiate authentication scheme
not available
> [DEBUG] TargetAuthenticationStrategy - Challenge for Kerberos authentication scheme not
available
> [DEBUG] TargetAuthenticationStrategy - Challenge for NTLM authentication scheme not available
> [DEBUG] TargetAuthenticationStrategy - Challenge for Digest authentication scheme not
available
> [DEBUG] TargetAuthenticationStrategy - Challenge for Basic authentication scheme not
available
> The Basic auth challenge is NOT recognized!
> Reason: org.apache.http.impl.client.AuthenticationStrategyImpl:getChallenges iterates
through the WWW-Authenticate HEADERS but doesn't take account that a single header may contain
multiple challenges.
> How to fix:
> Split and parse the WWW-Authenticate header correctly in org.apache.http.impl.client.AuthenticationStrategyImpl:getChallenges




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message