HttpComponents HttpClient
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1345

Useinfo Credentials Ignored In Redirect Location Header

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 4.2.4
    • Fix Version/s: 4.3 Beta2
    • Component/s: HttpClient
    • Labels:
      None

      Description

      When HttpClient is configured to follow redirects and receives an 303 response with a
      Location header that includes userinfo, such as http://user:pass@example.com/ the username and password are ignored.

      The expected behaviour is that if the request to the target location (without credentials) responds with a 401, that HttpClient would use the userinfo credentials in the previous response Location header to authenticate and store the credentials in the execution context. This is the behaviour of most Web agents such as Chrome, Firefox, Safari, libcurl, and others.

      HttpClient should still wait for the 401 response (by default) before sending the credentials as outlined in 1344:
      Userinfo Credentials in URI Should Not Default to Preemptive Authentication
      https://issues.apache.org/jira/browse/HTTPCLIENT-1344

        Activity

        James Leigh created issue -
        Oleg Kalnichevski made changes -
        Field Original Value New Value
        Fix Version/s 4.3 Beta2 [ 12324304 ]
        Hide
        James Leigh added a comment -

        http://tools.ietf.org/html/rfc1738#section-3.3 states "No user name or password is allowed" in the HTTP URL scheme.

        Show
        James Leigh added a comment - http://tools.ietf.org/html/rfc1738#section-3.3 states "No user name or password is allowed" in the HTTP URL scheme.
        Hide
        Oleg Kalnichevski added a comment -

        Fixed in SVN trunk. Please review / re-test.

        Oleg

        Show
        Oleg Kalnichevski added a comment - Fixed in SVN trunk. Please review / re-test. Oleg
        Oleg Kalnichevski made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Oleg Kalnichevski made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Resolved Resolved
        26d 11h 19m 1 Oleg Kalnichevski 16/May/13 15:19
        Resolved Resolved Closed Closed
        142d 5h 22m 1 Oleg Kalnichevski 05/Oct/13 20:41

          People

          • Assignee:
            Unassigned
            Reporter:
            James Leigh
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development