Broken support for Digest authentication with query parameters

[softprops]

This is a follow up to a message I posted on the mailing list, https://groups.google.com/d/topic/asynchttpclient/kNCB8Mu7CHM/discussion. I am seeing an issue where the dialog between client and server for handling 401 digest authentication requests fail for all uris containing query parameters because, at some point in the dialog, the request parameters are duplicated invalidation the digest challenge. See my post for the debug logging output of the handshake.

I tried to trace the code through the netty provider. It looks like the request url was intact here But soon afterwards saw a request where the authentication request header contained the original uri but the actual request's query parameters were duplicated invalidating the auth header.

Note this is only an issue with uris containing query parameters. A uri without query parameters seemed to handle digest authentication fine.

[jfarcand]

Tag in for 1.7.2, start looking at it.

[rlubke]

I did a quick check and it appears that the parameter duplication doesn't occur with the Grizzly-based provider. Could you confirm?

[rlubke]

Issue on the netty side is here: https://github.com/sonatype/async-http-client/blob/master/src/main/java/com/ning/http/client/providers/netty/NettyAsyncHttpProvider.java#L2002

[softprops]

Nice find @rlubke It was hard to see what the future uris were without extra debug logging. Since the futures already store a ref to the request, why do they need a store the uri separately instead of delegating that call to the request itself https://github.com/sonatype/async-http-client/blob/master/src/main/java/com/ning/http/client/providers/netty/NettyResponseFuture.java#L101-102

[rlubke]

@softprops I can't comment on why. I mostly deal with the Grizzly side of things. Coming up to speed on the Netty side.

[rlubke]

New snapshot build (1.8.0-SNAPSHOT) should be available soon with the fix. Please confirm resolution when/if time permits.

[softprops]

On Thu, Mar 8, 2012 at 2:03 PM, Ryan Lubke <
[email protected]

wrote:

New snapshot build (1.8.0-SNAPSHOT) should be available soon with the fix.
Please confirm resolution when/if time permits.

Where can I resolve it from. I only see up to 1.7.1

http://repo1.maven.org/maven2/com/ning/async-http-client/

---

Reply to this email directly or view it on GitHub:

https://github.com/sonatype/async-http-client/issues/62#issuecomment-4399686

[softprops]

On Thu, Mar 8, 2012 at 9:28 PM, Doug Tangren [email protected] wrote:

On Thu, Mar 8, 2012 at 2:03 PM, Ryan Lubke <
[email protected]

wrote:

New snapshot build (1.8.0-SNAPSHOT) should be available soon with the
fix. Please confirm resolution when/if time permits.

Where can I resolve it from. I only see up to 1.7.1

http://repo1.maven.org/maven2/com/ning/async-http-client/

nm. found it

https://oss.sonatype.org/content/repositories/snapshots/com/ning/async-http-client/

[softprops]

On Thu, Mar 8, 2012 at 9:31 PM, Doug Tangren [email protected] wrote:

On Thu, Mar 8, 2012 at 9:28 PM, Doug Tangren [email protected] wrote:

On Thu, Mar 8, 2012 at 2:03 PM, Ryan Lubke <
[email protected]

wrote:

New snapshot build (1.8.0-SNAPSHOT) should be available soon with the
fix. Please confirm resolution when/if time permits.

Where can I resolve it from. I only see up to 1.7.1

http://repo1.maven.org/maven2/com/ning/async-http-client/

nm. found it

https://oss.sonatype.org/content/repositories/snapshots/com/ning/async-http-client/

And it works!

Mar 8, 2012 9:40:17 PM
com.ning.http.client.providers.netty.NettyAsyncHttpProvider
FINE: Number of application's worker threads is 4
Mar 8, 2012 9:40:17 PM
org.jboss.netty.channel.socket.nio.NioProviderMetadata
FINE: Using the autodetected NIO constraint level: 0
Mar 8, 2012 9:40:17 PM org.jboss.netty.channel.DefaultChannelFuture
FINE: The dead lock checker in DefaultChannelFuture has been disabled as
requested at your own risk.
Mar 8, 2012 9:40:17 PM
com.ning.http.client.providers.netty.NettyAsyncHttpProvider doConnect
FINE:
Non cached request
DefaultHttpRequest(chunked: false)
GET /items?page=1&per_page=5&deleted=false HTTP/1.1
Host: my.cl.ly
Accept: application/json
Connection: keep-alive
User-Agent: dispatch-cloudapp/0.1.0

using Channel
[id: 0x4e48f32a]

Mar 8, 2012 9:40:17 PM
com.ning.http.client.providers.netty.NettyAsyncHttpProvider$HttpProtocol
handle
FINE:

Request DefaultHttpRequest(chunked: false)
GET /items?page=1&per_page=5&deleted=false HTTP/1.1
Host: my.cl.ly
Accept: application/json
Connection: keep-alive
User-Agent: dispatch-cloudapp/0.1.0

Response DefaultHttpResponse(chunked: true)
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Server: thin 1.3.1 codename Triple Espresso
Www-Authenticate: Digest realm="Application", qop="auth", algorithm=MD5,
nonce="MTMzMTI2MDgxNzphZTkwMzMzNzQ3N2M4ZWNhNWMyYTlhNjExM2FiYjU2OA==",
opaque="9eb56ccb2e8b017ae42bdb4739690863"
X-Runtime: 0.002176
X-Ua-Compatible: IE=Edge,chrome=1
transfer-encoding: chunked
Connection: keep-alive

Mar 8, 2012 9:40:17 PM
com.ning.http.client.providers.netty.NettyAsyncHttpProvider$HttpProtocol
handle
FINE: Sending authentication to
http://my.cl.ly/items?page=1&per_page=5&deleted=false
Mar 8, 2012 9:40:17 PM
com.ning.http.client.providers.netty.NettyAsyncHttpProvider doConnect
FINE:
Non cached request
DefaultHttpRequest(chunked: false)
GET /items?page=1&per_page=5&deleted=false HTTP/1.1
Host: my.cl.ly
Accept: application/json
Authorization: Digest username="[email protected]", realm="Application",
nonce="MTMzMTI2MDgxNzphZTkwMzMzNzQ3N2M4ZWNhNWMyYTlhNjExM2FiYjU2OA==", uri="
http://my.cl.ly/items?page=1&per_page=5&deleted=false", algorithm=MD5,
response="889e4e6c81f9de03aaf309bd6672643c",
opaque="9eb56ccb2e8b017ae42bdb4739690863", qop=auth, nc=00000001,
cnonce="5d380c9510779ffa435db0a1172298d7"
Connection: keep-alive
User-Agent: dispatch-cloudapp/0.1.0

using Channel
[id: 0x3486a602]

Mar 8, 2012 9:40:17 PM
com.ning.http.client.providers.netty.NettyAsyncHttpProvider$HttpProtocol
handle
FINE:

Request DefaultHttpRequest(chunked: false)
GET /items?page=1&per_page=5&deleted=false HTTP/1.1
Host: my.cl.ly
Accept: application/json
Authorization: Digest username="[email protected]", realm="Application",
nonce="MTMzMTI2MDgxNzphZTkwMzMzNzQ3N2M4ZWNhNWMyYTlhNjExM2FiYjU2OA==", uri="
http://my.cl.ly/items?page=1&per_page=5&deleted=false", algorithm=MD5,
response="889e4e6c81f9de03aaf309bd6672643c",
opaque="9eb56ccb2e8b017ae42bdb4739690863", qop=auth, nc=00000001,
cnonce="5d380c9510779ffa435db0a1172298d7"
Connection: keep-alive
User-Agent: dispatch-cloudapp/0.1.0

Response DefaultHttpResponse(chunked: true)
HTTP/1.1 200 OK
Cache-Control: max-age=0, private, must-revalidate
Content-Type: application/json; charset=utf-8
Etag: "a8dc9d8d3cee24342f94d5575adcc591"
Last-Modified: Wed, 07 Mar 2012 11:10:07 GMT
Server: thin 1.3.1 codename Triple Espresso
Set-Cookie:
user_credentials=d9acb612701543593861ce878b0321539fafcfc2efa6a1c6fc59cf0f062afe1ad0b59a3fbe60ffacd7fbb58140dc0196817d4d3da6a4939daf0ba2066e463f7d%3A%3A1021522;
path=/; expires=Sat, 09-Jun-2012 02:40:17 GMT
Set-Cookie:
_engine_session=BAh7CEkiD3Nlc3Npb25faWQGOgZFRiIlYWM5YTkzMzAwNGZjNDUzNmJhMWM3NjQ3YmZkZTZhZDRJIhV1c2VyX2NyZWRlbnRpYWxzBjsARkkiAYBkOWFjYjYxMjcwMTU0MzU5Mzg2MWNlODc4YjAzMjE1MzlmYWZjZmMyZWZhNmExYzZmYzU5Y2YwZjA2MmFmZTFhZDBiNTlhM2ZiZTYwZmZhY2Q3ZmJiNTgxNDBkYzAxOTY4MTdkNGQzZGE2YTQ5MzlkYWYwYmEyMDY2ZTQ2M2Y3ZAY7AFRJIhh1c2VyX2NyZWRlbnRpYWxzX2lkBjsARmkDUpYP--c5357f37906c4cf157414223439f35031656fcf4;
path=/; HttpOnly
X-Runtime: 0.009381
X-Ua-Compatible: IE=Edge,chrome=1
transfer-encoding: chunked
Connection: keep-alive

Mar 8, 2012 9:40:17 PM
com.ning.http.client.providers.netty.NettyConnectionsPool offer
FINE: Adding uri: http://my.cl.ly:80 for channel [id: 0x3486a602, /
192.168.3.90:59233 => my.cl.ly/107.22.180.220:80]
res0: java.lang.String = []

Thanks Ryan!

[rlubke]

Good to hear! Will close this out.