'Re: CONNECT over SSL with HttpClient 3.0'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       httpclient-users
Subject:    Re: CONNECT over SSL with HttpClient 3.0
From:       Oleg Kalnichevski <olegk () apache ! org>
Date:       2006-02-28 22:26:55
Message-ID: 1141165615.8571.9.camel () localhost ! localdomain
[Download RAW message or body]

On Tue, 2006-02-28 at 16:52 +0100, Olaf Sebelin wrote:
> Hello,
> 
> 
> I am using HttpClient 3.0. When I try to establish a HTTPS connection
> through a proxy with Basic authentication, the connection fails, if the
> credentials are not known and applied _before_ the first try.
> 
> What I try to do, is the following: I try to connect to the given URL. If
> the proxy returns 407, I request proxy credentials from the user, set
> them and retry, like in the following example code:
> 
> 
> HttpClient client = new HttpClient(new MultiThreadedHttpConnectionManager());
> URL url = new URL("https://examplehttpsurl");
> 
> //first try 
> GetMethod get = new GetMethod(url.toExternalForm());
> HostConfiguration hc = new HostConfiguration();
> hc.setHost(url.getHost(), 443, "https");
> hc.setProxy("proxyhost", 4711);
> 
> try {
> client.executeMethod(hc, get);
> } catch (Exception e){
> LOG.error("",e);
> } finally {
> get.releaseConnection();
> }
> 
> //returns 407 (expected)
> LOG.debug("Answer: " + get.getStatusLine().toString()); 
> 
> //retry with credentials (normally requested from the user)
> client.getState().setProxyCredentials(new AuthScope("proxyhost",4711),
> new NTCredentials("USER", "PASS", "", ""));
> 
> get = new GetMethod(url.toExternalForm());
> 
> try {
> client.executeMethod(hc, get);
> } catch (Exception e) {
> e.printStackTrace();
> } finally {
> get.releaseConnection();
> }
> //should be 200 but is 407
> LOG.debug("Answer: " + get.getStatusLine().toString());
> 
> 
> 
> This fails, since the httpclient does not retry a  CONNECT with Proxy
> credentials but with a GET and does not apply the credentials:
> 
> 
> 
> CONNECT XXXXXXXXXXXXXXXXXXXXXXXXXX:443 HTTP/1.1
> User-Agent: Jakarta Commons-HttpClient/3.0
> Host: XXXXXXXXXXXXXXXXXXXXXXXXXX
> Proxy-Connection: Keep-Alive
> 
> HTTP/1.0 407 Proxy Authentication Required
> Server: squid/2.5.STABLE3
> Mime-Version: 1.0
> Date: Tue, 28 Feb 2006 16:45:21 GMT
> Content-Type: text/html
> Content-Length: 1334
> Expires: Tue, 28 Feb 2006 16:45:21 GMT
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> Proxy-Authenticate: Basic realm="Squid proxy-caching web server"
> X-Cache: MISS from XXXXXXXXXXXXXXXXX
> X-Cache-Lookup: NONE from XXXXXXXXXXXXXXXXX:4711
> Proxy-Connection: keep-alive
> 
> ...
> 
> GET https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1
> User-Agent: Jakarta Commons-HttpClient/3.0
> Host: XXXXXXXXXXXXXXXXXXXXXXXXXX
> Proxy-Connection: Keep-Alive
> 
> HTTP/1.0 407 Proxy Authentication Required
> Server: squid/2.5.STABLE3
> Mime-Version: 1.0
> Date: Tue, 28 Feb 2006 16:45:22 GMT
> Content-Type: text/html
> Content-Length: 1385
> Expires: Tue, 28 Feb 2006 16:45:22 GMT
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> Proxy-Authenticate: Basic realm="Squid proxy-caching web server"
> X-Cache: MISS from XXXXXXXXXXXXXXXXX
> X-Cache-Lookup: NONE from XXXXXXXXXXXXXXXXX:4711
> Proxy-Connection: keep-alive
> 
> ...
> 
> 
> 
> According to  http://issues.apache.org/bugzilla/show_bug.cgi?id=34740
> this is a known issue that should have been fixed. 
> 
> From what I see from HttpMethodDirector.executeWithRetry(final
> HttpMethod method), the cause is, that the connection is kept open, and
> thus the connect is never retried:
> 
> 
> if (!this.conn.isOpen()) {
> // this connection must be opened before it can be used
> // This has nothing to do with opening a secure tunnel
> this.conn.open();
> if (this.conn.isProxied() && this.conn.isSecure() 
> && !(method instanceof ConnectMethod)) {
> // we need to create a secure tunnel before we can execute the real method
> if (!executeConnect()) {
> // abort, the connect method failed
> return;
> }
> }
> }
> 
> 
> If I add a conn.close() before returning on !executeConnect(), the
> above code will work, the CONNECT is reattempted. 
> 
> 
> Is this still a bug with CONNECT over SSL

Olaf,

Please post a _complete_ wire/context log of the HTTP session. I'll take
a look at it

> or me using HttpClient the
> wrong way?
> 

You should rather implement a custom credentials provider if you want
the user to be able to authenticate interactively

http://svn.apache.org/viewcvs.cgi/jakarta/commons/proper/httpclient/trunk/src/examples/InteractiveAuthenticationExample.java?view=markup


Oleg

> 
> Thanks in advance.
> 
> Regards,
> Olaf
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic