HttpComponents HttpClient
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1272

HttpClient does not retry failed PROXY authentication when multiple challenges are present

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Won't Fix
    • Affects Version/s: 4.2.2
    • Fix Version/s: None
    • Component/s: HttpClient
    • Labels:
      None

      Description

      Similar to HTTPCLIENT-1107, but for Proxy authentication. It appears that subsequent authentication schemes are not attempted if an earlier scheme fails.

      In our case, a proxy supports Negotiate, NTLM and BASIC authentication. When NTML authentication fails due to the wrong credentials being supplied, BASIC authentication is never attempted against the proxy.

      I am a Gradle core developer, and we use HttpClient internally for dependency resolution. This issue was reported by one of our users.

        Activity

        Hide
        Daz DeBoer added a comment -

        Here are the HttpClient sections of the Gradle debug logs. Full log available here: https://gist.github.com/4175447.

        08:32:13.762 [DEBUG] [org.gradle.api.internal.externalresource.transport.http.JavaSystemPropertiesHttpProxySettings] Found java system property 'http.nonProxyHosts': localhost. Will ignore proxy settings for these hosts.
        08:32:13.794 [DEBUG] [org.gradle.api.internal.externalresource.transport.http.HttpClientConfigurer] Using Credentials [username: MY_USER_ID] and NTLM Credentials [user: MY_USER_ID, domain: MY_DOMAIN, workstation: MY_WORK_STATION] for authenticating against 'MYPROXY:8080'
        08:32:14.122 [DEBUG] [org.gradle.api.internal.externalresource.transport.http.HttpClientHelper] Performing HTTP GET: http://repo1.maven.org/maven2/junit/junit/maven-metadata.xml
        08:32:14.278 [DEBUG] [org.apache.http.impl.conn.PoolingClientConnectionManager] Connection request: [route: {}->http://MYPROXY:8080->http://repo1.maven.org][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
        08:32:14.278 [DEBUG] [org.apache.http.impl.conn.PoolingClientConnectionManager] Connection leased: [id: 0][route: {}->http://MYPROXY:8080->http://repo1.maven.org][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
        08:32:14.294 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnectionOperator] Connecting to MYPROXY:8080
        08:32:14.309 [DEBUG] [org.apache.http.client.protocol.RequestAddCookies] CookieSpec selected: best-match
        08:32:14.309 [DEBUG] [org.apache.http.client.protocol.RequestAuthCache] Auth cache not set in the context
        08:32:14.309 [DEBUG] [org.apache.http.client.protocol.RequestTargetAuthentication] Target auth state: UNCHALLENGED
        08:32:14.309 [DEBUG] [org.apache.http.client.protocol.RequestProxyAuthentication] Proxy auth state: UNCHALLENGED
        08:32:14.309 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Attempt 1 to execute request
        08:32:14.309 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Sending request: GET http://repo1.maven.org/maven2/junit/junit/maven-metadata.xml HTTP/1.1
        08:32:14.309 [DEBUG] [org.apache.http.headers] >> GET http://repo1.maven.org/maven2/junit/junit/maven-metadata.xml HTTP/1.1
        08:32:14.309 [DEBUG] [org.apache.http.headers] >> Accept-Encoding: gzip,deflate
        08:32:14.309 [DEBUG] [org.apache.http.headers] >> Host: repo1.maven.org
        08:32:14.309 [DEBUG] [org.apache.http.headers] >> Proxy-Connection: Keep-Alive
        08:32:14.309 [DEBUG] [org.apache.http.headers] >> User-Agent: Gradle/1.2 (Windows XP;5.1;x86) (Sun Microsystems Inc.;1.6.0_21;17.0-b17)
        08:32:14.325 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Receiving response: HTTP/1.1 407 Proxy Authentication Required
        08:32:14.325 [DEBUG] [org.apache.http.headers] << HTTP/1.1 407 Proxy Authentication Required
        08:32:14.325 [DEBUG] [org.apache.http.headers] << Proxy-Authenticate: NEGOTIATE
        08:32:14.325 [DEBUG] [org.apache.http.headers] << Proxy-Authenticate: NTLM
        08:32:14.325 [DEBUG] [org.apache.http.headers] << Proxy-Authenticate: BASIC realm="QA"
        08:32:14.325 [DEBUG] [org.apache.http.headers] << Cache-Control: no-cache
        08:32:14.325 [DEBUG] [org.apache.http.headers] << Pragma: no-cache
        08:32:14.325 [DEBUG] [org.apache.http.headers] << Content-Type: text/html; charset=utf-8
        08:32:14.325 [DEBUG] [org.apache.http.headers] << Proxy-Connection: close
        08:32:14.325 [DEBUG] [org.apache.http.headers] << Set-Cookie: BCSI-CS-d39782e8f7077930=2; Path=/
        08:32:14.325 [DEBUG] [org.apache.http.headers] << Connection: close
        08:32:14.325 [DEBUG] [org.apache.http.headers] << Content-Length: 849
        08:32:14.325 [DEBUG] [org.apache.http.client.protocol.ResponseProcessCookies] Cookie accepted: "[version: 0][name: BCSI-CS-d39782e8f7077930][value: 2][domain: repo1.maven.org][path: /][expiry: null]".
        08:32:14.325 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] MYPROXY:8080 requested authentication
        08:32:14.325 [DEBUG] [org.apache.http.impl.client.ProxyAuthenticationStrategy] Authentication schemes in the order of preference: [negotiate, Kerberos, NTLM, Digest, Basic]
        08:32:14.340 [DEBUG] [org.apache.http.impl.auth.SPNegoScheme] Received challenge '' from the auth server
        08:32:14.340 [DEBUG] [org.apache.http.impl.client.ProxyAuthenticationStrategy] Challenge for Kerberos authentication scheme not available
        08:32:14.340 [DEBUG] [org.apache.http.impl.client.ProxyAuthenticationStrategy] Challenge for Digest authentication scheme not available
        08:32:14.340 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Selected authentication options: [NEGOTIATE, NTLM, BASIC]
        08:32:14.340 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Connection 0.0.0.0:1832<->172.27.254.2:8080 closed
        08:32:14.340 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnectionOperator] Connecting to MYPROXY:8080
        08:32:14.340 [DEBUG] [org.apache.http.client.protocol.RequestAddCookies] CookieSpec selected: best-match
        08:32:14.340 [DEBUG] [org.apache.http.client.protocol.RequestAddCookies] Cookie [version: 0][name: BCSI-CS-d39782e8f7077930][value: 2][domain: repo1.maven.org][path: /][expiry: null] match [repo1.maven.org:80/maven2/junit/junit/maven-metadata.xml]
        08:32:14.340 [DEBUG] [org.apache.http.client.protocol.RequestAuthCache] Auth cache not set in the context
        08:32:14.340 [DEBUG] [org.apache.http.client.protocol.RequestTargetAuthentication] Target auth state: UNCHALLENGED
        08:32:14.340 [DEBUG] [org.apache.http.client.protocol.RequestProxyAuthentication] Proxy auth state: CHALLENGED
        08:32:14.340 [DEBUG] [org.apache.http.client.protocol.RequestProxyAuthentication] Generating response to an authentication challenge using Negotiate scheme
        08:32:14.340 [DEBUG] [org.apache.http.impl.auth.SPNegoScheme] init MYPROXY:8080
        08:32:14.372 [WARN] [org.apache.http.client.protocol.RequestProxyAuthentication] NEGOTIATE authentication error: Invalid name provided (Mechanism level: Could not load configuration file C:\WINDOWS\krb5.ini (The system cannot find the file specified))
        08:32:14.372 [DEBUG] [org.apache.http.client.protocol.RequestProxyAuthentication] Generating response to an authentication challenge using ntlm scheme
        08:32:14.387 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Attempt 2 to execute request
        08:32:14.387 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Sending request: GET http://repo1.maven.org/maven2/junit/junit/maven-metadata.xml HTTP/1.1
        08:32:14.387 [DEBUG] [org.apache.http.headers] >> GET http://repo1.maven.org/maven2/junit/junit/maven-metadata.xml HTTP/1.1
        08:32:14.387 [DEBUG] [org.apache.http.headers] >> Accept-Encoding: gzip,deflate
        08:32:14.387 [DEBUG] [org.apache.http.headers] >> Host: repo1.maven.org
        08:32:14.387 [DEBUG] [org.apache.http.headers] >> Proxy-Connection: Keep-Alive
        08:32:14.387 [DEBUG] [org.apache.http.headers] >> User-Agent: Gradle/1.2 (Windows XP;5.1;x86) (Sun Microsystems Inc.;1.6.0_21;17.0-b17)
        08:32:14.387 [DEBUG] [org.apache.http.headers] >> Cookie: BCSI-CS-d39782e8f7077930=2
        08:32:14.387 [DEBUG] [org.apache.http.headers] >> Cookie2: $Version=1
        08:32:14.387 [DEBUG] [org.apache.http.headers] >> Proxy-Authorization: NTLM TlRMTVNTUAABAAAAATIAAAIAAgAgAAAABwAHACIAAABRUlFSMjMyODI=
        08:32:14.387 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Receiving response: HTTP/1.1 407 Proxy Authentication Required
        08:32:14.387 [DEBUG] [org.apache.http.headers] << HTTP/1.1 407 Proxy Authentication Required
        08:32:14.387 [DEBUG] [org.apache.http.headers] << Proxy-Authenticate: NTLM TlRMTVNTUAACAAAABAAEADgAAAAFAoEC16VC0SMlKxsAAAAAAAAAAKAAoAA8AAAABgGxHQAAAA9RAFIAAgAEAFEAUgABABQARABPAEgAUQBEAFQATQBHADAAMQAEABwAcQByAC4AcQByAGcAcgBwAC4AbABvAGMAYQBsAAMAMgBEAE8ASABRAEQAVABNAEcAMAAxAC4AcQByAC4AcQByAGcAcgBwAC4AbABvAGMAYQBsAAUAFgBxAHIAZwByAHAALgBsAG8AYwBhAGwABwAIAMGLnOfNv80BAAAAAA==
        08:32:14.387 [DEBUG] [org.apache.http.headers] << Cache-Control: no-cache
        08:32:14.387 [DEBUG] [org.apache.http.headers] << Pragma: no-cache
        08:32:14.387 [DEBUG] [org.apache.http.headers] << Content-Type: text/html; charset=utf-8
        08:32:14.387 [DEBUG] [org.apache.http.headers] << Proxy-Connection: Keep-Alive
        08:32:14.387 [DEBUG] [org.apache.http.headers] << Set-Cookie: BCSI-CS-d39782e8f7077930=2; Path=/
        08:32:14.387 [DEBUG] [org.apache.http.headers] << Connection: Keep-Alive
        08:32:14.387 [DEBUG] [org.apache.http.headers] << Content-Length: 866
        08:32:14.387 [DEBUG] [org.apache.http.client.protocol.ResponseProcessCookies] Cookie accepted: "[version: 0][name: BCSI-CS-d39782e8f7077930][value: 2][domain: repo1.maven.org][path: /][expiry: null]".
        08:32:14.387 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] MYPROXY:8080 requested authentication
        08:32:14.387 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Authorization challenge processed
        08:32:14.387 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Connection 0.0.0.0:1833<->172.27.254.2:8080 closed
        08:32:14.387 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnectionOperator] Connecting to MYPROXY:8080
        08:32:14.403 [DEBUG] [org.apache.http.client.protocol.RequestAddCookies] CookieSpec selected: best-match
        08:32:14.403 [DEBUG] [org.apache.http.client.protocol.RequestAddCookies] Cookie [version: 0][name: BCSI-CS-d39782e8f7077930][value: 2][domain: repo1.maven.org][path: /][expiry: null] match [repo1.maven.org:80/maven2/junit/junit/maven-metadata.xml]
        08:32:14.403 [DEBUG] [org.apache.http.client.protocol.RequestAuthCache] Auth cache not set in the context
        08:32:14.403 [DEBUG] [org.apache.http.client.protocol.RequestTargetAuthentication] Target auth state: UNCHALLENGED
        08:32:14.403 [DEBUG] [org.apache.http.client.protocol.RequestProxyAuthentication] Proxy auth state: HANDSHAKE
        08:32:14.403 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Attempt 3 to execute request
        08:32:14.403 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Sending request: GET http://repo1.maven.org/maven2/junit/junit/maven-metadata.xml HTTP/1.1
        08:32:14.403 [DEBUG] [org.apache.http.headers] >> GET http://repo1.maven.org/maven2/junit/junit/maven-metadata.xml HTTP/1.1
        08:32:14.403 [DEBUG] [org.apache.http.headers] >> Accept-Encoding: gzip,deflate
        08:32:14.403 [DEBUG] [org.apache.http.headers] >> Host: repo1.maven.org
        08:32:14.403 [DEBUG] [org.apache.http.headers] >> Proxy-Connection: Keep-Alive
        08:32:14.403 [DEBUG] [org.apache.http.headers] >> User-Agent: Gradle/1.2 (Windows XP;5.1;x86) (Sun Microsystems Inc.;1.6.0_21;17.0-b17)
        08:32:14.403 [DEBUG] [org.apache.http.headers] >> Cookie: BCSI-CS-d39782e8f7077930=2
        08:32:14.403 [DEBUG] [org.apache.http.headers] >> Cookie2: $Version=1
        08:32:14.403 [DEBUG] [org.apache.http.headers] >> Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAADQANAAWAAAAAQABAAoAQAACgAKACwBAAAOAA4ANgEAAAAAAAAAAAAAAQIAAM5QLijY08Qbumz0PyLlOdfGyeC+BfHbPr2n4xNF1goQMCcfnq2VjfEBAQAAAAAAADBB7+fNv80BfHRLn6Kg+EYAAAAAAgAEAFEAUgABABQARABPAEgAUQBEAFQATQBHADAAMQAEABwAcQByAC4AcQByAGcAcgBwAC4AbABvAGMAYQBsAAMAMgBEAE8ASABRAEQAVABNAEcAMAAxAC4AcQByAC4AcQByAGcAcgBwAC4AbABvAGMAYQBsAAUAFgBxAHIAZwByAHAALgBsAG8AYwBhAGwABwAIAMGLnOfNv80BAAAAAAAAAABRAFIAVAA0ADAANwA0AFEAUgAyADMAMgA4ADIA
        08:32:14.419 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Receiving response: HTTP/1.1 407 Proxy Authentication Required
        08:32:14.419 [DEBUG] [org.apache.http.headers] << HTTP/1.1 407 Proxy Authentication Required
        08:32:14.419 [DEBUG] [org.apache.http.headers] << Proxy-Authenticate: NTLM
        08:32:14.419 [DEBUG] [org.apache.http.headers] << Cache-Control: no-cache
        08:32:14.419 [DEBUG] [org.apache.http.headers] << Pragma: no-cache
        08:32:14.419 [DEBUG] [org.apache.http.headers] << Content-Type: text/html; charset=utf-8
        08:32:14.419 [DEBUG] [org.apache.http.headers] << Proxy-Connection: close
        08:32:14.419 [DEBUG] [org.apache.http.headers] << Set-Cookie: BCSI-CS-d39782e8f7077930=2; Path=/
        08:32:14.419 [DEBUG] [org.apache.http.headers] << Connection: close
        08:32:14.419 [DEBUG] [org.apache.http.headers] << Content-Length: 862
        08:32:14.419 [DEBUG] [org.apache.http.client.protocol.ResponseProcessCookies] Cookie accepted: "[version: 0][name: BCSI-CS-d39782e8f7077930][value: 2][domain: repo1.maven.org][path: /][expiry: null]".
        08:32:14.419 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] MYPROXY:8080 requested authentication
        08:32:14.419 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Authorization challenge processed
        08:32:14.419 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Authentication failed
        08:32:14.419 [DEBUG] [org.apache.http.impl.conn.PoolingClientConnectionManager] Connection [id: 0][route: {}->http://MYPROXY:8080->http://repo1.maven.org] can be kept alive for 9223372036854775807 MILLISECONDS
        08:32:14.419 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Connection 0.0.0.0:1834<->172.27.254.2:8080 closed
        08:32:14.419 [DEBUG] [org.apache.http.impl.conn.PoolingClientConnectionManager] Connection released: [id: 0][route: {}->http://MYPROXY:8080->http://repo1.maven.org][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
        08:32:14.419 [INFO] [org.gradle.api.internal.externalresource.transport.http.HttpClientHelper] Failed to get resource: GET. [HTTP HTTP/1.1 407 Proxy Authentication Required: http://repo1.maven.org/maven2/junit/junit/maven-metadata.xml]

        Show
        Daz DeBoer added a comment - Here are the HttpClient sections of the Gradle debug logs. Full log available here: https://gist.github.com/4175447 . 08:32:13.762 [DEBUG] [org.gradle.api.internal.externalresource.transport.http.JavaSystemPropertiesHttpProxySettings] Found java system property 'http.nonProxyHosts': localhost. Will ignore proxy settings for these hosts. 08:32:13.794 [DEBUG] [org.gradle.api.internal.externalresource.transport.http.HttpClientConfigurer] Using Credentials [username: MY_USER_ID] and NTLM Credentials [user: MY_USER_ID, domain: MY_DOMAIN, workstation: MY_WORK_STATION] for authenticating against 'MYPROXY:8080' 08:32:14.122 [DEBUG] [org.gradle.api.internal.externalresource.transport.http.HttpClientHelper] Performing HTTP GET: http://repo1.maven.org/maven2/junit/junit/maven-metadata.xml 08:32:14.278 [DEBUG] [org.apache.http.impl.conn.PoolingClientConnectionManager] Connection request: [route: {}->http://MYPROXY:8080->http://repo1.maven.org] [total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20] 08:32:14.278 [DEBUG] [org.apache.http.impl.conn.PoolingClientConnectionManager] Connection leased: [id: 0] [route: {}->http://MYPROXY:8080->http://repo1.maven.org] [total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20] 08:32:14.294 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnectionOperator] Connecting to MYPROXY:8080 08:32:14.309 [DEBUG] [org.apache.http.client.protocol.RequestAddCookies] CookieSpec selected: best-match 08:32:14.309 [DEBUG] [org.apache.http.client.protocol.RequestAuthCache] Auth cache not set in the context 08:32:14.309 [DEBUG] [org.apache.http.client.protocol.RequestTargetAuthentication] Target auth state: UNCHALLENGED 08:32:14.309 [DEBUG] [org.apache.http.client.protocol.RequestProxyAuthentication] Proxy auth state: UNCHALLENGED 08:32:14.309 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Attempt 1 to execute request 08:32:14.309 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Sending request: GET http://repo1.maven.org/maven2/junit/junit/maven-metadata.xml HTTP/1.1 08:32:14.309 [DEBUG] [org.apache.http.headers] >> GET http://repo1.maven.org/maven2/junit/junit/maven-metadata.xml HTTP/1.1 08:32:14.309 [DEBUG] [org.apache.http.headers] >> Accept-Encoding: gzip,deflate 08:32:14.309 [DEBUG] [org.apache.http.headers] >> Host: repo1.maven.org 08:32:14.309 [DEBUG] [org.apache.http.headers] >> Proxy-Connection: Keep-Alive 08:32:14.309 [DEBUG] [org.apache.http.headers] >> User-Agent: Gradle/1.2 (Windows XP;5.1;x86) (Sun Microsystems Inc.;1.6.0_21;17.0-b17) 08:32:14.325 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Receiving response: HTTP/1.1 407 Proxy Authentication Required 08:32:14.325 [DEBUG] [org.apache.http.headers] << HTTP/1.1 407 Proxy Authentication Required 08:32:14.325 [DEBUG] [org.apache.http.headers] << Proxy-Authenticate: NEGOTIATE 08:32:14.325 [DEBUG] [org.apache.http.headers] << Proxy-Authenticate: NTLM 08:32:14.325 [DEBUG] [org.apache.http.headers] << Proxy-Authenticate: BASIC realm="QA" 08:32:14.325 [DEBUG] [org.apache.http.headers] << Cache-Control: no-cache 08:32:14.325 [DEBUG] [org.apache.http.headers] << Pragma: no-cache 08:32:14.325 [DEBUG] [org.apache.http.headers] << Content-Type: text/html; charset=utf-8 08:32:14.325 [DEBUG] [org.apache.http.headers] << Proxy-Connection: close 08:32:14.325 [DEBUG] [org.apache.http.headers] << Set-Cookie: BCSI-CS-d39782e8f7077930=2; Path=/ 08:32:14.325 [DEBUG] [org.apache.http.headers] << Connection: close 08:32:14.325 [DEBUG] [org.apache.http.headers] << Content-Length: 849 08:32:14.325 [DEBUG] [org.apache.http.client.protocol.ResponseProcessCookies] Cookie accepted: " [version: 0] [name: BCSI-CS-d39782e8f7077930] [value: 2] [domain: repo1.maven.org] [path: /] [expiry: null] ". 08:32:14.325 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] MYPROXY:8080 requested authentication 08:32:14.325 [DEBUG] [org.apache.http.impl.client.ProxyAuthenticationStrategy] Authentication schemes in the order of preference: [negotiate, Kerberos, NTLM, Digest, Basic] 08:32:14.340 [DEBUG] [org.apache.http.impl.auth.SPNegoScheme] Received challenge '' from the auth server 08:32:14.340 [DEBUG] [org.apache.http.impl.client.ProxyAuthenticationStrategy] Challenge for Kerberos authentication scheme not available 08:32:14.340 [DEBUG] [org.apache.http.impl.client.ProxyAuthenticationStrategy] Challenge for Digest authentication scheme not available 08:32:14.340 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Selected authentication options: [NEGOTIATE, NTLM, BASIC] 08:32:14.340 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Connection 0.0.0.0:1832<->172.27.254.2:8080 closed 08:32:14.340 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnectionOperator] Connecting to MYPROXY:8080 08:32:14.340 [DEBUG] [org.apache.http.client.protocol.RequestAddCookies] CookieSpec selected: best-match 08:32:14.340 [DEBUG] [org.apache.http.client.protocol.RequestAddCookies] Cookie [version: 0] [name: BCSI-CS-d39782e8f7077930] [value: 2] [domain: repo1.maven.org] [path: /] [expiry: null] match [repo1.maven.org:80/maven2/junit/junit/maven-metadata.xml] 08:32:14.340 [DEBUG] [org.apache.http.client.protocol.RequestAuthCache] Auth cache not set in the context 08:32:14.340 [DEBUG] [org.apache.http.client.protocol.RequestTargetAuthentication] Target auth state: UNCHALLENGED 08:32:14.340 [DEBUG] [org.apache.http.client.protocol.RequestProxyAuthentication] Proxy auth state: CHALLENGED 08:32:14.340 [DEBUG] [org.apache.http.client.protocol.RequestProxyAuthentication] Generating response to an authentication challenge using Negotiate scheme 08:32:14.340 [DEBUG] [org.apache.http.impl.auth.SPNegoScheme] init MYPROXY:8080 08:32:14.372 [WARN] [org.apache.http.client.protocol.RequestProxyAuthentication] NEGOTIATE authentication error: Invalid name provided (Mechanism level: Could not load configuration file C:\WINDOWS\krb5.ini (The system cannot find the file specified)) 08:32:14.372 [DEBUG] [org.apache.http.client.protocol.RequestProxyAuthentication] Generating response to an authentication challenge using ntlm scheme 08:32:14.387 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Attempt 2 to execute request 08:32:14.387 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Sending request: GET http://repo1.maven.org/maven2/junit/junit/maven-metadata.xml HTTP/1.1 08:32:14.387 [DEBUG] [org.apache.http.headers] >> GET http://repo1.maven.org/maven2/junit/junit/maven-metadata.xml HTTP/1.1 08:32:14.387 [DEBUG] [org.apache.http.headers] >> Accept-Encoding: gzip,deflate 08:32:14.387 [DEBUG] [org.apache.http.headers] >> Host: repo1.maven.org 08:32:14.387 [DEBUG] [org.apache.http.headers] >> Proxy-Connection: Keep-Alive 08:32:14.387 [DEBUG] [org.apache.http.headers] >> User-Agent: Gradle/1.2 (Windows XP;5.1;x86) (Sun Microsystems Inc.;1.6.0_21;17.0-b17) 08:32:14.387 [DEBUG] [org.apache.http.headers] >> Cookie: BCSI-CS-d39782e8f7077930=2 08:32:14.387 [DEBUG] [org.apache.http.headers] >> Cookie2: $Version=1 08:32:14.387 [DEBUG] [org.apache.http.headers] >> Proxy-Authorization: NTLM TlRMTVNTUAABAAAAATIAAAIAAgAgAAAABwAHACIAAABRUlFSMjMyODI= 08:32:14.387 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Receiving response: HTTP/1.1 407 Proxy Authentication Required 08:32:14.387 [DEBUG] [org.apache.http.headers] << HTTP/1.1 407 Proxy Authentication Required 08:32:14.387 [DEBUG] [org.apache.http.headers] << Proxy-Authenticate: NTLM TlRMTVNTUAACAAAABAAEADgAAAAFAoEC16VC0SMlKxsAAAAAAAAAAKAAoAA8AAAABgGxHQAAAA9RAFIAAgAEAFEAUgABABQARABPAEgAUQBEAFQATQBHADAAMQAEABwAcQByAC4AcQByAGcAcgBwAC4AbABvAGMAYQBsAAMAMgBEAE8ASABRAEQAVABNAEcAMAAxAC4AcQByAC4AcQByAGcAcgBwAC4AbABvAGMAYQBsAAUAFgBxAHIAZwByAHAALgBsAG8AYwBhAGwABwAIAMGLnOfNv80BAAAAAA== 08:32:14.387 [DEBUG] [org.apache.http.headers] << Cache-Control: no-cache 08:32:14.387 [DEBUG] [org.apache.http.headers] << Pragma: no-cache 08:32:14.387 [DEBUG] [org.apache.http.headers] << Content-Type: text/html; charset=utf-8 08:32:14.387 [DEBUG] [org.apache.http.headers] << Proxy-Connection: Keep-Alive 08:32:14.387 [DEBUG] [org.apache.http.headers] << Set-Cookie: BCSI-CS-d39782e8f7077930=2; Path=/ 08:32:14.387 [DEBUG] [org.apache.http.headers] << Connection: Keep-Alive 08:32:14.387 [DEBUG] [org.apache.http.headers] << Content-Length: 866 08:32:14.387 [DEBUG] [org.apache.http.client.protocol.ResponseProcessCookies] Cookie accepted: " [version: 0] [name: BCSI-CS-d39782e8f7077930] [value: 2] [domain: repo1.maven.org] [path: /] [expiry: null] ". 08:32:14.387 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] MYPROXY:8080 requested authentication 08:32:14.387 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Authorization challenge processed 08:32:14.387 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Connection 0.0.0.0:1833<->172.27.254.2:8080 closed 08:32:14.387 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnectionOperator] Connecting to MYPROXY:8080 08:32:14.403 [DEBUG] [org.apache.http.client.protocol.RequestAddCookies] CookieSpec selected: best-match 08:32:14.403 [DEBUG] [org.apache.http.client.protocol.RequestAddCookies] Cookie [version: 0] [name: BCSI-CS-d39782e8f7077930] [value: 2] [domain: repo1.maven.org] [path: /] [expiry: null] match [repo1.maven.org:80/maven2/junit/junit/maven-metadata.xml] 08:32:14.403 [DEBUG] [org.apache.http.client.protocol.RequestAuthCache] Auth cache not set in the context 08:32:14.403 [DEBUG] [org.apache.http.client.protocol.RequestTargetAuthentication] Target auth state: UNCHALLENGED 08:32:14.403 [DEBUG] [org.apache.http.client.protocol.RequestProxyAuthentication] Proxy auth state: HANDSHAKE 08:32:14.403 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Attempt 3 to execute request 08:32:14.403 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Sending request: GET http://repo1.maven.org/maven2/junit/junit/maven-metadata.xml HTTP/1.1 08:32:14.403 [DEBUG] [org.apache.http.headers] >> GET http://repo1.maven.org/maven2/junit/junit/maven-metadata.xml HTTP/1.1 08:32:14.403 [DEBUG] [org.apache.http.headers] >> Accept-Encoding: gzip,deflate 08:32:14.403 [DEBUG] [org.apache.http.headers] >> Host: repo1.maven.org 08:32:14.403 [DEBUG] [org.apache.http.headers] >> Proxy-Connection: Keep-Alive 08:32:14.403 [DEBUG] [org.apache.http.headers] >> User-Agent: Gradle/1.2 (Windows XP;5.1;x86) (Sun Microsystems Inc.;1.6.0_21;17.0-b17) 08:32:14.403 [DEBUG] [org.apache.http.headers] >> Cookie: BCSI-CS-d39782e8f7077930=2 08:32:14.403 [DEBUG] [org.apache.http.headers] >> Cookie2: $Version=1 08:32:14.403 [DEBUG] [org.apache.http.headers] >> Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAADQANAAWAAAAAQABAAoAQAACgAKACwBAAAOAA4ANgEAAAAAAAAAAAAAAQIAAM5QLijY08Qbumz0PyLlOdfGyeC+BfHbPr2n4xNF1goQMCcfnq2VjfEBAQAAAAAAADBB7+fNv80BfHRLn6Kg+EYAAAAAAgAEAFEAUgABABQARABPAEgAUQBEAFQATQBHADAAMQAEABwAcQByAC4AcQByAGcAcgBwAC4AbABvAGMAYQBsAAMAMgBEAE8ASABRAEQAVABNAEcAMAAxAC4AcQByAC4AcQByAGcAcgBwAC4AbABvAGMAYQBsAAUAFgBxAHIAZwByAHAALgBsAG8AYwBhAGwABwAIAMGLnOfNv80BAAAAAAAAAABRAFIAVAA0ADAANwA0AFEAUgAyADMAMgA4ADIA 08:32:14.419 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Receiving response: HTTP/1.1 407 Proxy Authentication Required 08:32:14.419 [DEBUG] [org.apache.http.headers] << HTTP/1.1 407 Proxy Authentication Required 08:32:14.419 [DEBUG] [org.apache.http.headers] << Proxy-Authenticate: NTLM 08:32:14.419 [DEBUG] [org.apache.http.headers] << Cache-Control: no-cache 08:32:14.419 [DEBUG] [org.apache.http.headers] << Pragma: no-cache 08:32:14.419 [DEBUG] [org.apache.http.headers] << Content-Type: text/html; charset=utf-8 08:32:14.419 [DEBUG] [org.apache.http.headers] << Proxy-Connection: close 08:32:14.419 [DEBUG] [org.apache.http.headers] << Set-Cookie: BCSI-CS-d39782e8f7077930=2; Path=/ 08:32:14.419 [DEBUG] [org.apache.http.headers] << Connection: close 08:32:14.419 [DEBUG] [org.apache.http.headers] << Content-Length: 862 08:32:14.419 [DEBUG] [org.apache.http.client.protocol.ResponseProcessCookies] Cookie accepted: " [version: 0] [name: BCSI-CS-d39782e8f7077930] [value: 2] [domain: repo1.maven.org] [path: /] [expiry: null] ". 08:32:14.419 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] MYPROXY:8080 requested authentication 08:32:14.419 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Authorization challenge processed 08:32:14.419 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Authentication failed 08:32:14.419 [DEBUG] [org.apache.http.impl.conn.PoolingClientConnectionManager] Connection [id: 0] [route: {}->http://MYPROXY:8080->http://repo1.maven.org] can be kept alive for 9223372036854775807 MILLISECONDS 08:32:14.419 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Connection 0.0.0.0:1834<->172.27.254.2:8080 closed 08:32:14.419 [DEBUG] [org.apache.http.impl.conn.PoolingClientConnectionManager] Connection released: [id: 0] [route: {}->http://MYPROXY:8080->http://repo1.maven.org] [total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20] 08:32:14.419 [INFO] [org.gradle.api.internal.externalresource.transport.http.HttpClientHelper] Failed to get resource: GET. [HTTP HTTP/1.1 407 Proxy Authentication Required: http://repo1.maven.org/maven2/junit/junit/maven-metadata.xml]
        Hide
        Oleg Kalnichevski added a comment -

        Hi Daz
        I am not entirely sure HttpClient's behaviour is that wrong. Out of 3 challenges provided by the server it picks up 'Negotiate' first. Failing to generate a response using 'Negotiate' it moves onto the next preferred scheme NTLM. (So, evidently, HTTPCLIENT-1107 fix works as intended). It succeeds in generating a response to the challenge using NTLM, which is then rejected by the server due to invalid credentials. I am not quite sure HttpClient should re-attempt authentication using a weaker scheme at this point.

        08:32:14.340 [DEBUG] [org.apache.http.client.protocol.RequestProxyAuthentication] Generating response to an authentication challenge using Negotiate scheme
        08:32:14.340 [DEBUG] [org.apache.http.impl.auth.SPNegoScheme] init MYPROXY:8080
        08:32:14.372 [WARN] [org.apache.http.client.protocol.RequestProxyAuthentication] NEGOTIATE authentication error: Invalid name provided (Mechanism level: Could not load configuration file C:\WINDOWS\krb5.ini (The system cannot find the file specified))
        08:32:14.372 [DEBUG] [org.apache.http.client.protocol.RequestProxyAuthentication] Generating response to an authentication challenge using ntlm scheme

        Oleg

        Show
        Oleg Kalnichevski added a comment - Hi Daz I am not entirely sure HttpClient's behaviour is that wrong. Out of 3 challenges provided by the server it picks up 'Negotiate' first. Failing to generate a response using 'Negotiate' it moves onto the next preferred scheme NTLM. (So, evidently, HTTPCLIENT-1107 fix works as intended). It succeeds in generating a response to the challenge using NTLM, which is then rejected by the server due to invalid credentials. I am not quite sure HttpClient should re-attempt authentication using a weaker scheme at this point. — 08:32:14.340 [DEBUG] [org.apache.http.client.protocol.RequestProxyAuthentication] Generating response to an authentication challenge using Negotiate scheme 08:32:14.340 [DEBUG] [org.apache.http.impl.auth.SPNegoScheme] init MYPROXY:8080 08:32:14.372 [WARN] [org.apache.http.client.protocol.RequestProxyAuthentication] NEGOTIATE authentication error: Invalid name provided (Mechanism level: Could not load configuration file C:\WINDOWS\krb5.ini (The system cannot find the file specified)) 08:32:14.372 [DEBUG] [org.apache.http.client.protocol.RequestProxyAuthentication] Generating response to an authentication challenge using ntlm scheme — Oleg
        Hide
        Daz DeBoer added a comment -

        Ok understood. I didn't realise that HTTPCLIENT-1107 was about the case where HttpClient could not attempt the first authentication, rather than attempting the first authentication and having it fail.

        We don't presently require explicit proxy configuration for NTLM authentication, nor do we provide a mechanism to define which authentication scheme should be used. We attempt to deduce the values for Domain and Workstation for NTLM authentication. This means that a user may provide their Basic Auth credentials and we'll try to use them for NTLM authentication where the server requests it.

        I'm comfortable if you want to mark this as will-not-fix, and we'll need to consider ways to empower the user to choose the appropriate scheme. Proxy authenticate is a source of much frustration for our new users who are working behing corporate firewalls. Ideally, we'd have a solution that 'just works', and NTLM authentication is often an example of something that just doesn't.

        Show
        Daz DeBoer added a comment - Ok understood. I didn't realise that HTTPCLIENT-1107 was about the case where HttpClient could not attempt the first authentication, rather than attempting the first authentication and having it fail. We don't presently require explicit proxy configuration for NTLM authentication, nor do we provide a mechanism to define which authentication scheme should be used. We attempt to deduce the values for Domain and Workstation for NTLM authentication. This means that a user may provide their Basic Auth credentials and we'll try to use them for NTLM authentication where the server requests it. I'm comfortable if you want to mark this as will-not-fix, and we'll need to consider ways to empower the user to choose the appropriate scheme. Proxy authenticate is a source of much frustration for our new users who are working behing corporate firewalls. Ideally, we'd have a solution that 'just works', and NTLM authentication is often an example of something that just doesn't.
        Hide
        Oleg Kalnichevski added a comment -

        Daz
        Actually, when user credentials are not applicable for NTLM authentication (for instance, when represented by UsernamePasswordCrednentials instead of NTCredentials) the NTLM auth scheme should fail and HttpClient should pick the next available scheme (BASIC in your case). So, instead of giving HttpClient incomplete NTCredentials with bogus domain and workstation attributes, try giving it UsernamePasswordCrednentials and see what happens.

        I am going to close this issue as WONTFIX. While it would be permissible to retry authentication with BASIC scheme in the context of a corporate proxy on a secure corporate network, it would be pretty irresponsible to automatically send user credentials in clear text to an arbitrary host after having a more secure scheme failed due to credentials being invalid. I hope you agree.

        Oleg

        Show
        Oleg Kalnichevski added a comment - Daz Actually, when user credentials are not applicable for NTLM authentication (for instance, when represented by UsernamePasswordCrednentials instead of NTCredentials) the NTLM auth scheme should fail and HttpClient should pick the next available scheme (BASIC in your case). So, instead of giving HttpClient incomplete NTCredentials with bogus domain and workstation attributes, try giving it UsernamePasswordCrednentials and see what happens. I am going to close this issue as WONTFIX. While it would be permissible to retry authentication with BASIC scheme in the context of a corporate proxy on a secure corporate network, it would be pretty irresponsible to automatically send user credentials in clear text to an arbitrary host after having a more secure scheme failed due to credentials being invalid. I hope you agree. Oleg

          People

          • Assignee:
            Unassigned
            Reporter:
            Daz DeBoer
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development