Uploaded image for project: 'HttpComponents HttpClient'
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1344

Userinfo Credentials in URI Should Not Default to Preemptive Authentication

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.2.4
    • Fix Version/s: 4.3 Beta2
    • Component/s: HttpClient (classic)
    • Labels:
      None

      Description

      When using a request like new HttpGet("http://user:pass@example.com/") HttpClient will send along Authorization: Basic header with the first request (even if the server uses Digest Access).

      The expected behaviour is for HttpClient to send a request with no user credentials at all, wait for the server to send a 401 response. Then based on the supported auth scheme, send another request with the credentials in a scheme that is supported by the server.

        Activity

        Hide
        olegk Oleg Kalnichevski added a comment -

        James,
        Is this behavior described anywhere?

        Oleg

        Show
        olegk Oleg Kalnichevski added a comment - James, Is this behavior described anywhere? Oleg
        Hide
        jamesrdf James Leigh added a comment -

        Humm, well I did find this http://tools.ietf.org/html/rfc1738#section-3.3, which states "No user name or password is allowed". Perhaps the userinfo should just be ignored...? Either way, the current behaviour of sending the password in the clear preemptively should be changed I think.

        Show
        jamesrdf James Leigh added a comment - Humm, well I did find this http://tools.ietf.org/html/rfc1738#section-3.3 , which states "No user name or password is allowed". Perhaps the userinfo should just be ignored...? Either way, the current behaviour of sending the password in the clear preemptively should be changed I think.
        Hide
        olegk Oleg Kalnichevski added a comment -

        Fixed in SVN trunk. Please review / re-test.

        Oleg

        Show
        olegk Oleg Kalnichevski added a comment - Fixed in SVN trunk. Please review / re-test. Oleg

          People

          • Assignee:
            Unassigned
            Reporter:
            jamesrdf James Leigh
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development