hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oleg Kalnichevski (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (HTTPCLIENT-1637) HttpClient does not handle cookies during authentication
Date Sat, 28 Mar 2015 09:55:52 GMT

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-1637?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Oleg Kalnichevski resolved HTTPCLIENT-1637.
    Resolution: Duplicate

> HttpClient does not handle cookies during authentication
> --------------------------------------------------------
>                 Key: HTTPCLIENT-1637
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1637
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.3.6
>            Reporter: Carsten Kaiser
> When upgrading from HTTPClient version 4.2.x to 4.3.6 we recognized that cookies are
no longer handled during e.g. DIGEST authentication. This causes the authentication to fail
in our cluster environment where a cookie is returned by the load balancer in front used to
ensure that all request which are part of the DIGEST handshake will be routed to the same
cluster instance (which is crucial for the handshake to succeed!). 
> From top of my head I remember to have seen a comment somewhere which stated that cookies
are assumed to be issued by a server after authentication succeeded. 
> From our point of view this assumption is not valid as mentioned before.
> As a workaround we registered a custom target authentication strategy implementation
as follows:
> {code}
>         @Override
>         public boolean isAuthenticationRequested(HttpHost authhost, HttpResponse response,
HttpContext context) {
>             final boolean isAuthenticationRequired = super.isAuthenticationRequested(authhost,
response, context);
>             if (isAuthenticationRequired) {
>                 // In case authentication is required store any cookies already set by
the server in order to cope with
>                 // situations where the load balancer adds a cookie for the DIGEST authentication
since the new HTTP
>                 // Client
>                 // library does not foresee this situation by default
>                 try {
>                     new ResponseProcessCookies().process(response, context);
>                     final HttpRequest request = (HttpRequest) context.getAttribute(HttpCoreContext.HTTP_REQUEST);
>                     if (request != null) {
>                         new RequestAddCookies().process(request, context);
>                     }
>                 } catch (final Exception e) {
>                     LOG.error("Custom handling of load balancer session cookies during
authentication failed: "
>                             + e.getMessage(), e);
>                 }
>             }
>             return isAuthenticationRequired;
>         }
> {code} 
> which is more a kind of hack...
> Please check whether it is possible to add support for cookies during authentication
again so that we do not have to apply the workaround again for each new version.
> Thank you!
> Kind regards,

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message