Uploaded image for project: 'HttpComponents HttpClient'
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1489

Multiple, comma-separated challenges in WWW-Authenticate are not recognized

    Details

      Description

      As per RFC 2616, WWW-Authenticate may contain more than one challenge:
      »User agents are advised to take special care in parsing the WWW- Authenticate field value as it might contain more than one challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a comma-separated list of authentication parameters.« https://tools.ietf.org/html/rfc2616#section-14.47

      For instance, https://contacts.icloud.com returns such a WWW-Authenticate header:

      > GET / HTTP/1.1
      > Host: contacts.icloud.com
      > Accept: /
      >
      < HTTP/1.1 401 Unauthorized
      < ...
      < WWW-Authenticate: X-MobileMe-AuthToken realm="Newcastle", Basic realm="Newcastle"

      The X-MobileMe-AuthToken challenge is recognized by HttpClient, but the Basic challenge is not. HttpClient logs when sending a GET request to https://contacts.icloud.com:

      [DEBUG] headers - http-outgoing-0 << HTTP/1.1 401 Unauthorized
      [DEBUG] headers - http-outgoing-0 << Date: Fri, 21 Mar 2014 19:20:14 GMT
      [DEBUG] headers - http-outgoing-0 << X-Apple-Request-UUID: d1d0aa7d-d651-4da2-be9f-595f1619db85
      [DEBUG] headers - http-outgoing-0 << X-Responding-Instance: carddav:12100701:st13p21ic-quav11230703:8001:14B52:125783
      [DEBUG] headers - http-outgoing-0 << WWW-Authenticate: X-MobileMe-AuthToken realm="Newcastle", Basic realm="Newcastle"
      [DEBUG] headers - http-outgoing-0 << Content-Length: 0
      [DEBUG] MainClientExec - Connection can be kept alive indefinitely
      [DEBUG] HttpAuthenticator - Authentication required
      [DEBUG] HttpAuthenticator - contacts.icloud.com:443 requested authentication
      [INFO] TargetAuthenticationStrategy - GOT Auth header: X-MobileMe-AuthToken realm="Newcastle", Basic realm="Newcastle"
      [DEBUG] TargetAuthenticationStrategy - Authentication schemes in the order of preference: [negotiate, Kerberos, NTLM, Digest, Basic]
      [DEBUG] TargetAuthenticationStrategy - Challenge for negotiate authentication scheme not available
      [DEBUG] TargetAuthenticationStrategy - Challenge for Kerberos authentication scheme not available
      [DEBUG] TargetAuthenticationStrategy - Challenge for NTLM authentication scheme not available
      [DEBUG] TargetAuthenticationStrategy - Challenge for Digest authentication scheme not available
      [DEBUG] TargetAuthenticationStrategy - Challenge for Basic authentication scheme not available

      The Basic auth challenge is NOT recognized!

      Reason: org.apache.http.impl.client.AuthenticationStrategyImpl:getChallenges iterates through the WWW-Authenticate HEADERS but doesn't take account that a single header may contain multiple challenges.

      How to fix:
      Split and parse the WWW-Authenticate header correctly in org.apache.http.impl.client.AuthenticationStrategyImpl:getChallenges

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              bitfire bitfire
            • Votes:
              2 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: