Don't propagate Authorization header on redirect after NTLM auth, close AsyncHttpClient#867

Author: slandelle

src/main/java/com/ning/http/client/providers/netty/handler/HttpProtocol.java

@@ -434,7 +434,7 @@ private boolean handleHttpResponse(final HttpResponse response,//
                 || exitAfterHandling401(channel, future, response, request, statusCode, realm) || //
                 exitAfterHandling407(channel, future, response, request, statusCode, proxyServer) || //
                 exitAfterHandling100(channel, future, statusCode) || //
-                exitAfterHandlingRedirect(channel, future, response, request, statusCode) || //
+                exitAfterHandlingRedirect(channel, future, response, request, statusCode, realm) || //
                 exitAfterHandlingConnect(channel, future, request, proxyServer, statusCode, httpRequest) || //
                 exitAfterHandlingStatus(channel, future, response, handler, status) || //
                 exitAfterHandlingHeaders(channel, future, response, handler, responseHeaders) || //

src/main/java/com/ning/http/client/providers/netty/handler/Protocol.java

@@ -16,11 +16,8 @@
 import static com.ning.http.client.providers.netty.util.HttpUtils.HTTP;
 import static com.ning.http.client.providers.netty.util.HttpUtils.WEBSOCKET;
 import static com.ning.http.util.AsyncHttpProviderUtils.followRedirect;
-import static org.jboss.netty.handler.codec.http.HttpResponseStatus.FOUND;
-import static org.jboss.netty.handler.codec.http.HttpResponseStatus.MOVED_PERMANENTLY;
-import static org.jboss.netty.handler.codec.http.HttpResponseStatus.SEE_OTHER;
-import static org.jboss.netty.handler.codec.http.HttpResponseStatus.TEMPORARY_REDIRECT;
 import static org.jboss.netty.handler.codec.http.HttpHeaders.Names.*;
+import static org.jboss.netty.handler.codec.http.HttpResponseStatus.*;
 
 import org.jboss.netty.channel.Channel;
 import org.jboss.netty.handler.codec.http.HttpHeaders;
@@ -34,6 +31,8 @@
 import com.ning.http.client.HttpResponseHeaders;
 import com.ning.http.client.HttpResponseStatus;
 import com.ning.http.client.MaxRedirectException;
+import com.ning.http.client.Realm;
+import com.ning.http.client.Realm.AuthScheme;
 import com.ning.http.client.Request;
 import com.ning.http.client.RequestBuilder;
 import com.ning.http.client.cookie.Cookie;
@@ -91,13 +90,17 @@ public Protocol(ChannelManager channelManager, AsyncHttpClientConfig config, Net
 
     public abstract void onClose(NettyResponseFuture<?> future);
 
-    private FluentCaseInsensitiveStringsMap propagatedHeaders(Request request, boolean switchToGet) {
-        
+    private FluentCaseInsensitiveStringsMap propagatedHeaders(Request request, Realm realm, boolean switchToGet) {
+
         FluentCaseInsensitiveStringsMap originalHeaders = request.getHeaders();
         originalHeaders.remove(HOST);
         originalHeaders.remove(CONTENT_LENGTH);
         if (switchToGet)
             originalHeaders.remove(CONTENT_TYPE);
+        if (realm != null && realm.getScheme() == AuthScheme.NTLM) {
+            originalHeaders.remove(AUTHORIZATION);
+            originalHeaders.remove(PROXY_AUTHORIZATION);
+        }
         return originalHeaders;
     }
 
@@ -106,7 +109,8 @@ protected boolean exitAfterHandlingRedirect(//
             final NettyResponseFuture<?> future,//
             HttpResponse response,//
             Request request,//
-            int statusCode) throws Exception {
+            int statusCode,//
+            Realm realm) throws Exception {
 
         if (followRedirect(config, request) && REDIRECT_STATUSES.contains(statusCode)) {
             if (future.incrementAndGetCurrentRedirectCount() >= config.getMaxRedirects()) {
@@ -147,7 +151,7 @@ protected boolean exitAfterHandlingRedirect(//
                             requestBuilder.addOrReplaceCookie(c);
                     }
 
-                    requestBuilder.setHeaders(propagatedHeaders(future.getRequest(), switchToGet));
+                    requestBuilder.setHeaders(propagatedHeaders(future.getRequest(), realm, switchToGet));
 
                     final Request nextRequest = requestBuilder.setUrl(newUrl).build();
 

src/main/java/com/ning/http/client/providers/netty/handler/WebSocketProtocol.java

@@ -32,6 +32,7 @@
 import com.ning.http.client.AsyncHttpClientConfig;
 import com.ning.http.client.HttpResponseHeaders;
 import com.ning.http.client.HttpResponseStatus;
+import com.ning.http.client.Realm;
 import com.ning.http.client.Request;
 import com.ning.http.client.providers.netty.NettyAsyncHttpProviderConfig;
 import com.ning.http.client.providers.netty.channel.ChannelManager;
@@ -77,13 +78,14 @@ public void handle(Channel channel, NettyResponseFuture<?> future, Object e) thr
             HttpResponse response = (HttpResponse) e;
             HttpResponseStatus status = new NettyResponseStatus(future.getUri(), config, response);
             HttpResponseHeaders responseHeaders = new NettyResponseHeaders(response.headers());
+            Realm realm = request.getRealm() != null ? request.getRealm() : config.getRealm();
 
             if (exitAfterProcessingFilters(channel, future, handler, status, responseHeaders)) {
                 return;
             }
 
             future.setHttpHeaders(response.headers());
-            if (exitAfterHandlingRedirect(channel, future, response, request, response.getStatus().getCode()))
+            if (exitAfterHandlingRedirect(channel, future, response, request, response.getStatus().getCode(), realm))
                 return;
 
             boolean validStatus = response.getStatus().equals(SWITCHING_PROTOCOLS);