Return-Path: X-Original-To: apmail-hc-httpclient-users-archive@www.apache.org Delivered-To: apmail-hc-httpclient-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E8FB411915 for ; Wed, 30 Jul 2014 13:27:43 +0000 (UTC) Received: (qmail 35167 invoked by uid 500); 30 Jul 2014 13:27:43 -0000 Delivered-To: apmail-hc-httpclient-users-archive@hc.apache.org Received: (qmail 35125 invoked by uid 500); 30 Jul 2014 13:27:43 -0000 Mailing-List: contact httpclient-users-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpClient User Discussion" Delivered-To: mailing list httpclient-users@hc.apache.org Received: (qmail 35114 invoked by uid 99); 30 Jul 2014 13:27:43 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 Jul 2014 13:27:43 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [5.148.180.21] (HELO kalnich2.nine.ch) (5.148.180.21) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 Jul 2014 13:27:37 +0000 Received: from [192.168.42.168] (unknown [213.55.184.177]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by kalnich2.nine.ch (Postfix) with ESMTPSA id 2574A1601E0 for ; Wed, 30 Jul 2014 13:27:14 +0000 (UTC) Message-ID: <1406726833.16037.2.camel@ubuntu> Subject: Re: Android Basic Authentication - the failure case From: Oleg Kalnichevski To: HttpClient User Discussion Date: Wed, 30 Jul 2014 15:27:13 +0200 In-Reply-To: References: <1406710915.10009.8.camel@ubuntu> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.10.4-0ubuntu1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On Wed, 2014-07-30 at 09:08 -0400, Sander A. Smith wrote: > Thanks Oleg, I've opened a bug. > > I think I disagree with you about the possible cause. I understand that > Android is using a built in Base64 encoder instead of CC, but the encoding > of the authentication data is happening correctly. What isn't happening > correctly is the sequence of CR/LF that surrounds it. > > You are very welcome to disagree, but I am almost certain the culprit is this bit in BasicSchemeHC4 that pads base64-coded creds with LF. --- final byte[] base64password = Base64.encode( EncodingUtils.getBytes(tmp.toString(), charset), Base64.DEFAULT); --- Oleg [1] http://svn.apache.org/repos/asf/httpcomponents/httpclient-android/branches/4.3.3-android/src/main/java/org/apache/http/impl/auth/BasicSchemeHC4.java > On Wed, Jul 30, 2014 at 5:01 AM, Oleg Kalnichevski wrote: > > > On Tue, 2014-07-29 at 23:12 -0400, Sander A. Smith wrote: > > > I'm writing an Android app and am using the HttpClient library for > > Android > > > for all of the communication to the outside world. I've also taken the > > > guts of the app and written a Java main so that I can run from the > > command > > > line using the regular library. > > > > > > Everything runs beautifully except for one thing: I need to do Basic > > > Authentication, and the two platforms, Android and CLI react differently > > in > > > the failure case. If Basic Authentication succeeds (e.g. the correct > > > password is used) things run fine. However, in the case where an > > incorrect > > > password is used I get a 401 on CLI (correct), but with the Android > > library > > > I'm getting an exception thrown. > > > > > > I've debugged enough to watch what goes over the wire. > > > > > > When I run CLI I see this: > > > > > > http-outgoing-4 >> "GET / HTTP/1.1[\r][\n]" > > > http-outgoing-4 >> "User-Agent: xxx" > > > http-outgoing-4 >> "Host: 192.168.1.1[\r][\n]" > > > http-outgoing-4 >> "Connection: Keep-Alive[\r][\n]" > > > http-outgoing-4 >> "Accept-Encoding: gzip,deflate[\r][\n]" > > > http-outgoing-4 >> "Authorization: Basic YWRtaW46YWRtaW4=[\r][\n]" > > > http-outgoing-4 >> "[\r][\n]" > > > http-outgoing-4 << "HTTP/1.0 401 Unauthorized[\r][\n]" > > > > > > Running on Android shows this: > > > > > > http-outgoing-4 >> "GET / HTTP/1.1[\r][\n]" > > > http-outgoing-4 >> "User-Agent: xxx" > > > http-outgoing-4 >> "Host: 192.168.1.1[\r][\n]" > > > http-outgoing-4 >> "Connection: Keep-Alive[\r][\n]" > > > http-outgoing-4 >> "Accept-Encoding: gzip,deflate[\r][\n]" > > > http-outgoing-4 >> "Authorization: Basic YWRtaW46YWRtaW4=[\n]" > > > http-outgoing-4 >> "[\r][\n]" > > > http-outgoing-4 >> "[\r][\n]" > > > http-outgoing-4 << "end of stream" > > > http-outgoing-4: Close connection > > > > > > > > > It appears that on Android the sequence of carriage returns and line > > feeds > > > is not being sent properly, and the server is getting confused. > > > > > > > This looks like an Android specific bug (HttpClient port for Android > > makes use of Base64 encoding provided by the platform instead of Commons > > Codec used by the stock version). Please raise a JIRA for this defect. > > > > Oleg > > > > > It's also worth noting that when the correct password is being sent, the > > > identical information is sent over the wire, but in both cases, an HTTP > > 200 > > > is returned. > > > > > > So what's going on here? Why is behavior different on 2 different > > > platforms? Is there a bug in the Android library? > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org > > For additional commands, e-mail: httpclient-users-help@hc.apache.org > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org For additional commands, e-mail: httpclient-users-help@hc.apache.org