hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Loic (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HTTPCLIENT-1451) HttpClient does not store response cookies on a 401
Date Thu, 30 Jun 2016 07:43:10 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15356665#comment-15356665
] 

Loic edited comment on HTTPCLIENT-1451 at 6/30/16 7:42 AM:
-----------------------------------------------------------

This is a real big problem with this excellent http client, even with a server simple as a
SpringSecurity application with Waffle for Windows SSO, *WinHttpClient* is unable to authenticate
just because *MainClientExec* do not send Cookie with the Authorization header.

If you look at the behavior of Chrome, Firefox, Safari and even IE, they all send Cookie on
subsequant call if Set-Cookie is present on 401 response during challenging authentication.

We need at least an elegant way to trade with this situation. I will take a look at the workaround
above.

Best regards,

Loïc

PS: It's working great with the workaround, thanks  [~miken] !


was (Author: loic oudot):
This is a real big problem with this excellent http client, even with a server simple as a
SpringSecurity application with Waffle for Windows SSO, *WinHttpClient* is unable to authenticate
just because *MainClientExec* do not send Cookie with the Authorization header.

If you look at the behavior of Chrome, Firefox, Safari and even IE, they all send Cookie on
subsequant call if Set-Cookie is present on 401 response during challenging authentication.

We need at least an elegant way to trade with this situation. I will take a look at the workaround
above.

Best regards,

Loïc

> HttpClient does not store response cookies on a 401
> ---------------------------------------------------
>
>                 Key: HTTPCLIENT-1451
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1451
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpAuth
>    Affects Versions: 4.3.2
>            Reporter: Richard Sand
>            Priority: Minor
>             Fix For: 5.0
>
>
> Using HttpClient 4.3.2 to call a Web Service which is secured with BASIC authentication.
The server responds to the initial request with a 401 response but also includes a cookie.
> The HttpClient does not place response cookies into the cookie store until after it has
completed the subsequent request with the Authorize header, but the server rejects the authentication
if the cookie is missing. 
> To work around this I had to disable the authentication capability in the HttpClientContext
and manually check for the 401 response code, and then send a followup request with a manually
set Authorize header.
> So in the use case where the HttpClient is automatically sending a followup request with
credentials in response to a 401, the client should place the cookies from the original response
into the cookie store immediately, rather than waiting for after the response to the credentials
(the 2nd response).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message