HttpComponents HttpClient
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1344

Userinfo Credentials in URI Should Not Default to Preemptive Authentication

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 4.2.4
    • Fix Version/s: 4.3 Beta2
    • Component/s: HttpClient
    • Labels:
      None

      Description

      When using a request like new HttpGet("http://user:pass@example.com/") HttpClient will send along Authorization: Basic header with the first request (even if the server uses Digest Access).

      The expected behaviour is for HttpClient to send a request with no user credentials at all, wait for the server to send a 401 response. Then based on the supported auth scheme, send another request with the credentials in a scheme that is supported by the server.

        Activity

        James Leigh created issue -
        Hide
        Oleg Kalnichevski added a comment -

        James,
        Is this behavior described anywhere?

        Oleg

        Show
        Oleg Kalnichevski added a comment - James, Is this behavior described anywhere? Oleg
        Oleg Kalnichevski made changes -
        Field Original Value New Value
        Fix Version/s 4.3 Beta2 [ 12324304 ]
        Hide
        James Leigh added a comment -

        Humm, well I did find this http://tools.ietf.org/html/rfc1738#section-3.3, which states "No user name or password is allowed". Perhaps the userinfo should just be ignored...? Either way, the current behaviour of sending the password in the clear preemptively should be changed I think.

        Show
        James Leigh added a comment - Humm, well I did find this http://tools.ietf.org/html/rfc1738#section-3.3 , which states "No user name or password is allowed". Perhaps the userinfo should just be ignored...? Either way, the current behaviour of sending the password in the clear preemptively should be changed I think.
        Hide
        Oleg Kalnichevski added a comment -

        Fixed in SVN trunk. Please review / re-test.

        Oleg

        Show
        Oleg Kalnichevski added a comment - Fixed in SVN trunk. Please review / re-test. Oleg
        Oleg Kalnichevski made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Oleg Kalnichevski made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Resolved Resolved
        26d 11h 27m 1 Oleg Kalnichevski 16/May/13 15:18
        Resolved Resolved Closed Closed
        142d 5h 23m 1 Oleg Kalnichevski 05/Oct/13 20:42

          People

          • Assignee:
            Unassigned
            Reporter:
            James Leigh
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development