Uploaded image for project: 'HttpComponents HttpClient'
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1534

HTTP Digest Authentication does not use cookies sent on challenge

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 4.3.3
    • Fix Version/s: None
    • Component/s: HttpClient (classic)
    • Labels:
      None

      Description

      HTTP Client does not process cookies received from the server on the HTTP 401 challenge that initiates a Digest Auth procedure.

      The server could be sending a cookie related to load balancing, which is crucial to ensure that the 2nd HTTP request with the challenge response (Authorization) reaches the same application/origin server that created it. Otherwise, the authentication may fail easily.

      Imagine a scenario with a load balancer in front of 4 application servers with shared-nothing, i.e. no common state.

      Request #1 - Challenge request:

      Client sends a normal HTTP request. Load balancer routes it to node 1 and the client receives an HTTP 401 with Set-Cookie: LBCOOKIE=123456.node1.

      Request #2 - Final request:

      The client then computes the Authorization header and sends the request again.

      However, because it does not include the Cookie, the load balancer routes it to node 3, which doesn't recognise the Authorization challenge and rejects it again with an HTTP 401.

      Result: The client never passes authentication.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                raulvk Raúl Kripalani
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: