Uploaded image for project: 'HttpComponents HttpClient'
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1637

HttpClient does not handle cookies during authentication

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Duplicate
    • 4.3.6
    • None
    • HttpClient (classic)
    • None

    Description

      When upgrading from HTTPClient version 4.2.x to 4.3.6 we recognized that cookies are no longer handled during e.g. DIGEST authentication. This causes the authentication to fail in our cluster environment where a cookie is returned by the load balancer in front used to ensure that all request which are part of the DIGEST handshake will be routed to the same cluster instance (which is crucial for the handshake to succeed!).

      From top of my head I remember to have seen a comment somewhere which stated that cookies are assumed to be issued by a server after authentication succeeded.
      From our point of view this assumption is not valid as mentioned before.

      As a workaround we registered a custom target authentication strategy implementation as follows:

              @Override
        public boolean isAuthenticationRequested(HttpHost authhost, HttpResponse response, HttpContext context) {
            final boolean isAuthenticationRequired = super.isAuthenticationRequested(authhost, response, context);

            if (isAuthenticationRequired) {
                // In case authentication is required store any cookies already set by the server in order to cope with
                // situations where the load balancer adds a cookie for the DIGEST authentication since the new HTTP
                // Client
                // library does not foresee this situation by default
                try {
                    new ResponseProcessCookies().process(response, context);

                    final HttpRequest request = (HttpRequest) context.getAttribute(HttpCoreContext.HTTP_REQUEST);

                    if (request != null) {
                        new RequestAddCookies().process(request, context);
                    }
                } catch (final Exception e) {
                    LOG.error("Custom handling of load balancer session cookies during authentication failed: "
                            + e.getMessage(), e);
                }
            }

            return isAuthenticationRequired;
        }

      which is more a kind of hack...

      Please check whether it is possible to add support for cookies during authentication again so that we do not have to apply the workaround again for each new version.

      Thank you!

      Kind regards,
      CAK

      Attachments

        Issue Links

          duplicates

          Improvement - An improvement or enhancement to an existing feature or task. HTTPCLIENT-1451 HttpClient does not store response cookies on a 401

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              cak_at_work Carsten Kaiser
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: