'[jira] [Commented] (HTTPCLIENT-1855) Digest auth: Nonce counter not incremented after reuse'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       httpclient-commons-dev
Subject:    [jira] [Commented] (HTTPCLIENT-1855) Digest auth: Nonce counter not incremented after reuse
From:       "Alessandro Gherardi (JIRA)" <jira () apache ! org>
Date:       2017-10-25 14:15:00
Message-ID: JIRA.13079300.1497298145000.56221.1508940900069 () Atlassian ! JIRA
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1855?page=com.atlassian.jira.pl \
ugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16218706#comment-16218706 \
] 

Alessandro Gherardi commented on HTTPCLIENT-1855:
-------------------------------------------------

I submitted a new pull request \
https://github.com/apache/httpcomponents-client/pull/88 against the master branch. \
                The changes I'm proposing are:
* Re-enable caching of DigestSchemes
* Refactor BasicAuthCache to: (1) Store AuthSchemes un-serialized; (2) The cache \
supports multiple DigestSchemes per host key; (3) The get() method removes \
DigestSchemes from the map, so that the same server nonce can be used by a single \
request at a time.

> Digest auth: Nonce counter not incremented after reuse
> ------------------------------------------------------
> 
> Key: HTTPCLIENT-1855
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1855
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic)
> Affects Versions: 4.5.2
> Reporter: Alessandro Gherardi
> Attachments: HttpClient5Digest.java, HttpClientDigest.java, httpclient5.log, \
> wireshark.txt 
> 
> I have a client app using httpclient 4.5.2 with BasicCredentialsProvider and \
> BasicAuthCache. and web server that requires HTTP digest authentication.  The \
> client sends 3 requests to the web server.  When the app sends the first request, \
> the server returns an HTTP 401 with a digest challenge. httpclient automatically \
> retries the request with the Authorization header. The header contains the nonce \
> returned by the server and a nonce counter (nc) of 1. The retry succeeds and \
> httpclient caches the DigestScheme. For the second request, httpclient uses the \
> cached DigestScheme to calculate the Authorization header pre-emptively. The header \
> contains the same nonce and specifies a nonce counter of 2. The request succeed \
> without requiring a retry. For the third request, httpclient uses the cached \
> DigestScheme to calculate the Authorization header pre-emptively. Even though the \
> header contains the same nonce, the nonce counter is set to 2 again. This causes \
> the server to return a 401. httpclient should have incremented the nonce counter to \
> 3. I believe that the root cause of this problem is that, although DigestScheme \
> increases the nonceCount field every time the authenticate() method is called, \
> HttpAuthenticator does not re-cache DigestScheme after reusing it. The re-cache is \
> needed because BasicAuthCache stores DigestScheme in serialized format.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic