A cookie received in a 401 'Unauthorized' response does not get processed.
I am trying to get SSO (using 'Negotiate' scheme) working using WinHttpClients. The flow is as follows:
- The original request gets redirected (302 'Moved temporarily') to an URL of an authentication service.
- The authentication service respondes with a 401 'Unauthorized' response, containing the authentication challenge ('Negotiate' scheme) and a cookie with a JSessionId.
- The HTTP-Client handles the authentication challenge, adding the authentication response header, but does not process the cookie therefore not adding the cookie to the response.
As a consequence, the authentication service does not handle the authentication response and the connection is running into timeout.
As far as I understand the code, the problem might be that the authentication handling is done solely in class 'MainClientExec', while the processing of request- and response-interceptors takes place in 'ProtocolExec' which decorates 'MainClientExec' (as build by HttpClientBuilder). Since processing cookies is done through interceptors (ResponseProcessCookies, ResponseAddCookies), cookies of 401 'Unauthorized' responses are never processed.