HttpComponents HttpClient
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1344

Userinfo Credentials in URI Should Not Default to Preemptive Authentication

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 4.2.4
    • Fix Version/s: 4.3 Beta2
    • Component/s: HttpClient (classic)
    • Labels:
      None

      Description

      When using a request like new HttpGet("http://user:pass@example.com/") HttpClient will send along Authorization: Basic header with the first request (even if the server uses Digest Access).

      The expected behaviour is for HttpClient to send a request with no user credentials at all, wait for the server to send a 401 response. Then based on the supported auth scheme, send another request with the credentials in a scheme that is supported by the server.

        Activity

        Hide
        Oleg Kalnichevski added a comment -

        James,
        Is this behavior described anywhere?

        Oleg

        Show
        Oleg Kalnichevski added a comment - James, Is this behavior described anywhere? Oleg
        Hide
        James Leigh added a comment -

        Humm, well I did find this http://tools.ietf.org/html/rfc1738#section-3.3, which states "No user name or password is allowed". Perhaps the userinfo should just be ignored...? Either way, the current behaviour of sending the password in the clear preemptively should be changed I think.

        Show
        James Leigh added a comment - Humm, well I did find this http://tools.ietf.org/html/rfc1738#section-3.3 , which states "No user name or password is allowed". Perhaps the userinfo should just be ignored...? Either way, the current behaviour of sending the password in the clear preemptively should be changed I think.
        Hide
        Oleg Kalnichevski added a comment -

        Fixed in SVN trunk. Please review / re-test.

        Oleg

        Show
        Oleg Kalnichevski added a comment - Fixed in SVN trunk. Please review / re-test. Oleg

          People

          • Assignee:
            Unassigned
            Reporter:
            James Leigh
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development