Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-5366

Authorization header is not set correctly in CXF HTTP digest authentication

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.7.4, 2.7.5, 2.7.6, 2.7.7
    • 2.7.8, 2.6.11
    • Core
    • None

    • Windows 7 64 bit, Java 1.6.0_29, CXF 2.7.4, calling MS Dynamics WS.

    Description

      When performing the digest HTTP authentication the generated Authorization header is missing the "algorithm" element. Also if the algorithm is "MD5-sess" it should appear in the Authorization header as is and not as "MD5". To get around the issue it is possible to use a customized DigestAuthSupplier for the affected CXF versions. The result of WS invocation without "algorithm" in the Authorization header is 400-Bad request.
      The issue relates to versions of CXF 2.7.4 and later, earlier versions work fine.

      Sample request:

      POST /XXXXXXX HTTP/1.1
      Content-Type: text/xml; charset=UTF-8
      Accept: /
      SOAPAction: "http://schemas.microsoft.com/dynamics/XXXXXXX"
      User-Agent: Apache CXF 2.7.4
      Cache-Control: no-cache
      Pragma: no-cache
      Host: XXXXX
      Connection: keep-alive
      Content-Length: 542

      <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>XXXXX</soap:Body></soap:Envelope>
      POST /XXXXX HTTP/1.1
      Content-Type: text/xml; charset=UTF-8
      Accept: /
      Authorization: Digest response="541f8d073f2be81deae8e2f1065725b2", cnonce="46f26ffb6cf32b66873bf6e5e955bae8", username="XXXXX", nc="00000001", nonce="+Upgraded+v126a0f6047dd70851ab2155a14d09d56aacd7cd4a87d1ce01d77d4709393a1585490f57bdd6026b2c339c1f27bc03f4e47400ad20e8208244", realm="Digest", qop="auth", uri="/XXXXXXX"
      SOAPAction: "http://schemas.microsoft.com/dynamics/XXXXXXX"
      User-Agent: Apache CXF 2.7.4
      Cache-Control: no-cache
      Pragma: no-cache
      Host: localhost:8887
      Connection: keep-alive
      Content-Length: 542

      <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>XXXXXX</soap:Body></soap:Envelope>

      Sample response:

      HTTP/1.1 401 Unauthorized
      Content-Length: 0
      Server: Microsoft-HTTPAPI/2.0
      WWW-Authenticate: Digest qop="auth",algorithm=MD5-sess,nonce="+Upgraded+v126a0f6047dd70851ab2155a14d09d56af26b5ad2f0d3ce0169267269a2cfa168709705665fd13f9adf81235595c672ec1623b17e470ccaef",charset=utf-8,realm="Digest"
      Date: Mon, 28 Oct 2013 15:17:31 GMT

      HTTP/1.1 400 Bad Request
      Content-Length: 0
      Server: Microsoft-HTTPAPI/2.0
      Date: Mon, 28 Oct 2013 15:17:31 GMT

      Attachments

        Activity

          People

            dkulp Daniel Kulp
            chakine Evgeny Shakin
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: