Affects Version/s: 4.4.1
Fix Version/s: None
Component/s: HttpClient (classic)
Environment:Client using apache-camel http4 version 2.13.1 running requests against server using spring-boot.
We are executing REST requests against a digest protected endpoint. The server uses session cookies to ensure stickiness.
During the digest roundtrip the first set-cookie header is ignored - thus forcing the server to create another session cookie that is then returned in the http 200 response.
- Request is made (without cookie)
- Server responds with HTTP 401 and digest authentication challenge (including set-cookie header)
- Request is done again with authentication header (but still without cookie - this is the bug)
- Response is received with HTTP 200
Subsequent requests with the same HTTPClient instance contain the cookie received during the HTTP200 response.
This was working fine in version 4.1.1.
It seems that the class org.apache.http.impl.execchain.ProtocolExec is responsible for processing the request and response interceptors (including the RequestAddCookies and ReponseProcessCookies Interceptors). Unfortunately the 401 processing and re-requesting is done in the nested requestExecutor (MainClientExec) - and this one only adds the authentication header and disregards any Set-Cookie headers received in the 401 response.