we are consuming a web service that requires http basic authentication and tries to establish a cookie-based session with the client. So the response to the first request is always a "401 Unauthorized" response including a "Set-Cookie" header, even if the first request already contains the basic authentication header with the correct credentials. The request is only accepted if both the basic authentication header and the cookie header with the cookie from the "401 Unauthorized" response are set.
Calling the web service using SoapUI works fine. You can see in the log the initial request, the 401 reponse including the "Set-Cookie" header and the retransmitted request with the corresponding cookie header set, resulting in a successful response. Everything as expected.
When using CXF, there is an infinite loop (request -> 401 -> retransmit -> 401 and so on) until a protocol exception is thrown (too many retransmits/redirects). The reason is that the expected cookie header is not set when retransmitting the request, even if the parameter "BindingProvider.SESSION_MAINTAIN_PROPERTY" is set to true.
Investigating the source code of the org.apache.cxf.transport.http.HTTPConduit class I found out that when retransmitting in case of 301,302 or 401 reponses the part of the code evaluating the "Set-Cookie" headers of the response is never reached, which is not correct in my opinion.
I did some changes to the org.apache.cxf.transport.http.HTTPConduit class (see attachment) so that it works now with the specified scenario. Is it possible to fix this overall issue in a future release?
- we are using Apache CXF 2.2.9
- soap over http (with ssl) and http basic authentication
- the modified org.apache.cxf.transport.http.HTTPConduit class is also based on the 2.2.9 sources
- all changes of the org.apache.cxf.transport.http.HTTPConduit class are labeled "// KLI:"