Comments (9)
Sorry, I meant that havePreviousDigestAuthorizationWithSameNonce() returns false!
from okhttp-digest.
I am certainly interested, maybe @N4zroth can tell us what server he is using and how to replicate the stale nonce.
from okhttp-digest.
Sorry, I am new to github, so I am sure there is a better way of sending a patch, but the issue web interface would only let me attach a .zip. I have tried to keep the same coding style, but feel free to improve the logic. Let me know what you think.
from okhttp-digest.
thanks a lot for the patch. In principle it looks good. Could you be so good to add/update the tests?
from okhttp-digest.
I have tested the patch and IMHO it is not correct. It tries to read the stale parameter from the REQUEST rather than the RESPONSE.
final String previousAuthorizationHeader = previousRequest.header("Authorization");
if (previousAuthorizationHeader != null && previousAuthorizationHeader.startsWith("Digest")) {
// check if the previous nonce is the same as the current nonce
Map<String, String> previousParameters = new HashMap<String, String>();
parseChallenge(previousAuthorizationHeader, 7, previousAuthorizationHeader.length() - 7, previousParameters);
final String previousStale = previousParameters.get("stale");
if (previousStale != null && previousStale.toLowerCase().equals("true")) {
// we should have been given a new nonce to recompute with, in which case we should not fail
// the authorization
final String previousNonce = previousParameters.get("nonce");
if (!nonce.equals(previousNonce)) {
// We have been given a new nonce, so try recomputing our Digest.
// Note that there is a potential infinite loop if the server keeps giving us a new nonce
// each time, however it would also have to give us the 'stale' flag so I think this is pretty
// unlikely
return false;
}
}
My original code was only trying to figure out whether the previous request had a nonce, however, you now want to check the previous client nonce (from the request) and the stale header from the server response.
FYI, I started with the following tests, currently one of them fails with your code:
@Test
public void testAuthenticate_withDifferentButNotStaleNonce_shouldNotRetry() throws IOException {
// given
Request dummyRequest = new Request.Builder()
.url("http://www.google.com")
.header("Authorization", "Digest username=\"user1\", realm=\"myrealm\", nonce=\"AAAAAAA\", uri=\"/\", response=\"[0-9a-f]+\", qop=auth, nc=00000001, cnonce=\"[0-9a-f]+\", algorithm=MD5")
.get()
.build();
Response response = new Response.Builder()
.request(dummyRequest)
.protocol(Protocol.HTTP_1_1)
.code(401)
.addHeader("WWW-Authenticate",
"Digest realm=\"myrealm\", nonce=\"BBBBBB\", algorithm=MD5, qop=\"auth\"")
.addHeader("WWW-Authenticate", "Basic realm=\"DVRNVRDVS\"")
.build();
// when
final Request authenticated = authenticator.authenticate(null, response);
// then
assertThat(authenticated, is(nullValue()));
}
@Test
public void testAuthenticate_withStaleNonce_shouldRetry() throws IOException {
// given
Request dummyRequest = new Request.Builder()
.url("http://www.google.com")
.header("Authorization", "Digest username=\"user1\", realm=\"myrealm\", nonce=\"AAAAAAA\", uri=\"/\", response=\"[0-9a-f]+\", qop=auth, nc=00000001, cnonce=\"[0-9a-f]+\", algorithm=MD5")
.get()
.build();
Response response = new Response.Builder()
.request(dummyRequest)
.protocol(Protocol.HTTP_1_1)
.code(401)
.addHeader("WWW-Authenticate",
"Digest realm=\"myrealm\", nonce=\"BBBBBB\", stale=\"true\", algorithm=MD5, qop=\"auth\"")
.addHeader("WWW-Authenticate", "Basic realm=\"DVRNVRDVS\"")
.build();
// when
final Request authenticated = authenticator.authenticate(null, response);
// then
assertThat(authenticated.header("Authorization"),
matchesPattern("Digest username=\"user1\", realm=\"myrealm\", nonce=\"BBBBBB\", uri=\"/\", response=\"[0-9a-f]+\", qop=auth, nc=00000001, cnonce=\"[0-9a-f]+\", algorithm=MD5"));
}
from okhttp-digest.
Sorry about that - the 'stale' code was pretty much just a guess that
passed the compile test and seemed plausible :-)
I am pretty sure you are correct - it should be looking at the response for
'Stale'. I am unable to run any of the tests because I have hacked the
project to run in a plain java (non-android) environment. Would you
consider a patch set that removed the android dependency (e.g. switching
out logging for slf4j/slf4j-android)?
Glen.
On 22 June 2016 at 18:42, rburgst [email protected] wrote:
I have tested the patch and IMHO it is not correct. It tries to read the
stale parameter from the REQUEST rather than the RESPONSE.final String previousAuthorizationHeader = previousRequest.header("Authorization");
if (previousAuthorizationHeader != null && previousAuthorizationHeader.startsWith("Digest")) { // check if the previous nonce is the same as the current nonce Map<String, String> previousParameters = new HashMap<String, String>(); parseChallenge(previousAuthorizationHeader, 7, previousAuthorizationHeader.length() - 7, previousParameters); final String previousStale = previousParameters.get("stale"); if (previousStale != null && previousStale.toLowerCase().equals("true")) { // we should have been given a new nonce to recompute with, in which case we should not fail // the authorization final String previousNonce = previousParameters.get("nonce"); if (!nonce.equals(previousNonce)) { // We have been given a new nonce, so try recomputing our Digest. // Note that there is a potential infinite loop if the server keeps giving us a new nonce // each time, however it would also have to give us the 'stale' flag so I think this is pretty // unlikely return false; } }
My original code was only trying to figure out whether the previous
request had a nonce, however, you now want to check the previous client
nonce (from the request) and the stale header from the server response.FYI, I started with the following tests, currently one of them fails with
your code:@Test public void testAuthenticate_withDifferentButNotStaleNonce_shouldNotRetry() throws IOException { // given Request dummyRequest = new Request.Builder() .url("http://www.google.com") .header("Authorization", "Digest username=\"user1\", realm=\"myrealm\", nonce=\"AAAAAAA\", uri=\"/\", response=\"[0-9a-f]+\", qop=auth, nc=00000001, cnonce=\"[0-9a-f]+\", algorithm=MD5") .get() .build(); Response response = new Response.Builder() .request(dummyRequest) .protocol(Protocol.HTTP_1_1) .code(401) .addHeader("WWW-Authenticate", "Digest realm=\"myrealm\", nonce=\"BBBBBB\", algorithm=MD5, qop=\"auth\"") .addHeader("WWW-Authenticate", "Basic realm=\"DVRNVRDVS\"") .build(); // when final Request authenticated = authenticator.authenticate(null, response); // then assertThat(authenticated, is(nullValue())); } @Test public void testAuthenticate_withStaleNonce_shouldRetry() throws IOException { // given Request dummyRequest = new Request.Builder() .url("http://www.google.com") .header("Authorization", "Digest username=\"user1\", realm=\"myrealm\", nonce=\"AAAAAAA\", uri=\"/\", response=\"[0-9a-f]+\", qop=auth, nc=00000001, cnonce=\"[0-9a-f]+\", algorithm=MD5") .get() .build(); Response response = new Response.Builder() .request(dummyRequest) .protocol(Protocol.HTTP_1_1) .code(401) .addHeader("WWW-Authenticate", "Digest realm=\"myrealm\", nonce=\"BBBBBB\", stale=\"true\", algorithm=MD5, qop=\"auth\"") .addHeader("WWW-Authenticate", "Basic realm=\"DVRNVRDVS\"") .build(); // when final Request authenticated = authenticator.authenticate(null, response); // then assertThat(authenticated.header("Authorization"), matchesPattern("Digest username=\"user1\", realm=\"myrealm\", nonce=\"BBBBBB\", uri=\"/\", response=\"[0-9a-f]+\", qop=auth, nc=00000001, cnonce=\"[0-9a-f]+\", algorithm=MD5")); }
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#12 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AS6VeAL_YAB3qs7lwifuZOT6KfK20JMBks5qONlLgaJpZM4IxmG5
.
from okhttp-digest.
The next version will no longer rely on android logging. See also #13
from okhttp-digest.
latest code doesn't rely on android logging anymore, can you give it a go?
from okhttp-digest.
Will do, however it may take a couple of days before I can get to it.
Thanks,
Glen.
On 6 July 2016 at 18:11, rburgst [email protected] wrote:
latest code doesn't rely on android logging anymore, can you give it a go?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#12 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AS6VeGOo9RVjw0QSZwqruXUgUo5GGhSKks5qS0cHgaJpZM4IxmG5
.
from okhttp-digest.
Related Issues (20)
- IncompatibleClassChangeError using digest access authentication and latest OkHttp HOT 4
- Explain how to run ProxyAuthenticationManualTest HOT 4
- java.lang.NoSuchMethodError with okhttp 4.3.0 HOT 1
- Error code 401 HOT 5
- Authentication Cache Concurrent Modification Exception HOT 3
- Still getting 401 after Authentication Challenge HOT 8
- Http proxy with digest auth, error when server sends HTTP-301 redirect HOT 2
- How to use UTF-8 in basic and digest access authentication HOT 7
- Failed to resolve: com.burgstaller:okhttp-digest:1.19 HOT 5
- How to use OkHttp 3.12.x which supports API level 9+ in okhttp-digest HOT 3
- Copyright missing HOT 1
- Jcenter closing in May HOT 5
- Latest 1.x version is not in Maven Central HOT 2
- How can I Set Realm and Client Nonce in ADVANCED of Authorization Digest Auth HOT 3
- Send initial request with authentication header HOT 6
- java.lang.NoSuchFieldError HOT 17
- After putting app idle for some time it gives 401 issue for authorised request HOT 6
- Authentication fails if the site being accessed during proxy setup is HTTPS and digest authentication is used. HOT 4
- Are the `com.burgstaller:okhttp-digest` artifacts hosted on any public repo? HOT 5
- org.springframework.web.util.NestedServletException: Handler dispatch failed; nested exception is **java.lang.IncompatibleClassChangeError**: Expected static method okhttp3.internal.http.RequestLine.requestPath(Lokhttp3/HttpUrl;)Ljava/lang/String; HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from okhttp-digest.