hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: Username/password in URL doesn't work with HttpClientBuilder?
Date Sat, 11 Jul 2015 17:06:59 GMT
On Fri, 2015-07-10 at 16:10 -0700, Derek Lewis wrote:
> Hi folks,
> 
> 
> I've been upgrading our software to a more recent (4.4.1) version of
> httpclient, and I've run in to a bit of a stumper.  It seems like
> embedding the username/password in the URL isn't working with the
> client that's built by HttpClientBuilder.  I've also tested this on
> 4.5, and seen the same outcome.
> 
> 
> On both the version we used before, and the new version, this
> deprecated code works:
> 
> HttpClient httpClient = new DefaultHttpClient();
> HttpGet get = new HttpGet(URL);
> HttpResponse response = httpClient.execute(get);
> 
> 
> With a URL to like "http://user:password@localhost:8123/any-file" that
> requires basic-auth, this returns a 200.  From the debug logs, I can
> see that an "Authorization" header is set on the first request, so
> it's sending it preemptively.
> 
> 
> However, with this new code:
> 
> CloseableHttpClient httpClient = HttpClientBuilder.create().build();
> HttpGet get = new HttpGet(URL);
> HttpResponse response = httpClient.execute(get);
> 
> 
> It doesn't set the "Authorization" header preemptively, and after
> receiving a 401 or 403 response, it also doesn't try again with the
> username and password that's in the URL.
> 
> 
> I've tried setting up an AuthCache:
> 
> HttpHost targetHost = new HttpHost("localhost", -1, "http");
> AuthCache authCache = new BasicAuthCache();
> authCache.put(targetHost, new BasicScheme());
> HttpClientContext context = HttpClientContext.create();
> context.setAuthCache(authCache);
> 
> 
> But I don't have a username/password that I can store in a
> CredentialsProvider, without parsing the URL, since this URL is
> something that's passed to us as a callback, effectively.  Parsing the
> URL doesn't seem like the right approach, since this used to work in
> httpclient.
> 
> 
> I'm unsure at this point if this is a bug, or just something I'm not
> configuring correctly.  I've spent a couple hours googling and reading
> docs, but I haven't found anything that mentions inline credentials.
> 
> 
> I've put together a small demo/PoC of the problem I'm having in the
> form of a JUnit test.  It starts an embedded http server, and hits it
> with httpclient in the three ways I've described, expecting to receive
> a 200 status.  Only the deprecated code passes.  It's only an 11K zip
> for the demo, so I've attached it.  It uses maven, and all the
> dependencies are available from Maven Central, so running "mvn verify"
> should be sufficient.
> 
> 
> Thanks,
> 
> Derek
> 

Derek

Newer versions of HttpClient do not send user creds from the request URI
preemptively, only if challenged. See HTTPCLIENT-1344

https://issues.apache.org/jira/browse/HTTPCLIENT-1344

Oleg




---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message