hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Derek Lewis <de...@unbounce.com>
Subject Username/password in URL doesn't work with HttpClientBuilder?
Date Fri, 10 Jul 2015 23:10:23 GMT
Hi folks,

I've been upgrading our software to a more recent (4.4.1) version of
httpclient, and I've run in to a bit of a stumper.  It seems like embedding
the username/password in the URL isn't working with the client that's built
by HttpClientBuilder.  I've also tested this on 4.5, and seen the same

On both the version we used before, and the new version, this deprecated
code works:

HttpClient httpClient = new DefaultHttpClient();
HttpGet get = new HttpGet(URL);
HttpResponse response = httpClient.execute(get);

With a URL to like "http://user:password@localhost:8123/any-file" that
requires basic-auth, this returns a 200.  From the debug logs, I can see
that an "Authorization" header is set on the first request, so it's sending
it preemptively.

However, with this new code:

CloseableHttpClient httpClient = HttpClientBuilder.create().build();
HttpGet get = new HttpGet(URL);
HttpResponse response = httpClient.execute(get);

It doesn't set the "Authorization" header preemptively, and after receiving
a 401 or 403 response, it also doesn't try again with the username and
password that's in the URL.

I've tried setting up an AuthCache:

HttpHost targetHost = new HttpHost("localhost", -1, "http");
AuthCache authCache = new BasicAuthCache();
authCache.put(targetHost, new BasicScheme());
HttpClientContext context = HttpClientContext.create();

But I don't have a username/password that I can store in a
CredentialsProvider, without parsing the URL, since this URL is something
that's passed to us as a callback, effectively.  Parsing the URL doesn't
seem like the right approach, since this used to work in httpclient.

I'm unsure at this point if this is a bug, or just something I'm not
configuring correctly.  I've spent a couple hours googling and reading
docs, but I haven't found anything that mentions inline credentials.

I've put together a small demo/PoC of the problem I'm having in the form of
a JUnit test.  It starts an embedded http server, and hits it with
httpclient in the three ways I've described, expecting to receive a 200
status.  Only the deprecated code passes.  It's only an 11K zip for the
demo, so I've attached it.  It uses maven, and all the dependencies are
available from Maven Central, so running "mvn verify" should be sufficient.


View raw message