Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-5292

Digest authentication against intermediate HTTP proxy fails when endpoint server does not use digest authentication as well

    XMLWordPrintableJSON

    Details

    • Estimated Complexity:
      Novice

      Description

      When using no endpoint authentication but digest authentication in intermediate HTTP proxy, the HTTPConduit throws an exception (attached).

      After some debugging, it seems to be a bug in the following code in the org.apache.cxf.transport.http.HTTPConduit class:

      /**

      • This call places HTTP Header strings into the headers that are relevant
      • to the Authorization policies that are set on this conduit by
      • configuration.
      • <p>
      • An AuthorizationPolicy may also be set on the message. If so, those
      • policies are merged. A user name or password set on the messsage
      • overrides settings in the AuthorizationPolicy is retrieved from the
      • configuration.
      • <p>
      • The precedence is as follows:
      • 1. AuthorizationPolicy that is set on the Message, if exists.
      • 2. Authorization from AuthSupplier, if exists.
      • 3. AuthorizationPolicy set/configured for conduit.
      • REVISIT: Since the AuthorizationPolicy is set on the message by class, then
      • how does one override the ProxyAuthorizationPolicy which is the same
      • type?
      • @param message
      • @param headers
        */
        private void setHeadersByAuthorizationPolicy(
        Message message,
        URL url
        ) {
        Headers headers = new Headers(message);
        AuthorizationPolicy effectiveAuthPolicy = getEffectiveAuthPolicy(message);
        String authString = authSupplier.getAuthorization(effectiveAuthPolicy, url, message, null);
        if (authString != null) { headers.setAuthorization(authString); }

      String proxyAuthString = authSupplier.getAuthorization(proxyAuthorizationPolicy,
      url, message, null);
      if (proxyAuthString != null)

      { headers.setProxyAuthorization(proxyAuthString); }

      }

      I think that the correct code should be:

      String proxyAuthString = proxyAuthSupplier.getAuthorization(proxyAuthorizationPolicy, url, message, null);

      With basic authentication for HTTP proxy, it works (luckily) as the authSupplier registered by default is the DefaultBasicAuthSupplier.

      If the final endpoint is configured to use Digest authentication, it also works due to the fact that both proxy and endpoint authentication scheme is "artificially shared".

      Anyway, I do not understand what the

      • REVISIT: Since the AuthorizationPolicy is set on the message by class, then
      • how does one override the ProxyAuthorizationPolicy which is the same
      • type?
        in the method javadoc means...

        Attachments

        1. StackTrace.log
          4 kB
          Luis Rodriguez Berzosa

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              luis.rodriguez Luis Rodriguez Berzosa
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: