hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alessandro Gherardi (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HTTPCLIENT-1855) Digest auth: Nonce counter not incremented after reuse
Date Mon, 12 Jun 2017 20:10:00 GMT
Alessandro Gherardi created HTTPCLIENT-1855:
-----------------------------------------------

             Summary: Digest auth: Nonce counter not incremented after reuse
                 Key: HTTPCLIENT-1855
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1855
             Project: HttpComponents HttpClient
          Issue Type: Bug
          Components: HttpClient (classic)
    Affects Versions: 4.5.2
            Reporter: Alessandro Gherardi


I have a client app using httpclient 4.5.2 with BasicCredentialsProvider and BasicAuthCache.
and web server that requires HTTP digest authentication. 

The client sends 3 requests to the web server. 

When the app sends the first request, the server returns an HTTP 401 with a digest challenge.
httpclient automatically retries the request with the Authorization header. The header contains
the nonce returned by the server and a nonce counter (nc) of 1. The retry succeeds and httpclient
caches the DigestScheme.

For the second request, httpclient uses the cached DigestScheme to calculate the Authorization
header pre-emptively. The header contains the same nonce and specifies a nonce counter of
2. The request succeed without requiring a retry.

For the third request, httpclient uses the cached DigestScheme to calculate the Authorization
header pre-emptively. Even though the header contains the same nonce, the nonce counter is
set to 2 again. This causes the server to return a 401. httpclient should have incremented
the nonce counter to 3.

I believe that the root cause of this problem is that, although DigestScheme increases the
nonceCount field every time the authenticate() method is called, HttpAuthenticator does not
re-cache DigestScheme after reusing it. The re-cache is needed because BasicAuthCache stores
DigestScheme in serialized format.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message