Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4990708

Basic auth credentials are not correcly passed when HTTP Redirections occur

    XMLWordPrintable

    Details

    • Subcomponent:
    • CPU:
      generic, sparc
    • OS:
      solaris_2.6

      Description

      The problem description is as follows :
      ----------------------------------------------------
      BOX 1 has web server load balancing to two app servers
      BOX 2a and 2b are the application servers load balanced to the web server. This is where teh web services are deployed.
      BOX 3 has an authentication service running like Identity server . The policy agent for this may be at the web server (BOX1) or at both the ap servers (BOX 2a and 2b)

      1. JAX-RPC client sends a request to the app server with basic auth credential in the header

      2. The identity server agent intercepts, sees its a protected resouce sends a redirect (302 Moved Temperorily header) to the identity sever (BOX 3) for authentication/validation of the credentials.
      Any other authentication gateway that one installs will most probably use the same mechanism.

      3. The JAX-RPC client handles the redirect successfully and sends the request to the redirected URL. However the Basic auth credentials are lost and so is the POST body. (Its becomes a GET request).

      4. The identity server returns a not authorized message (because no credentials were presented) and the web service cannot be accessed.

      We have tried almost every possible configuraion in the policy agent/app server/identity server so am pretty sure its not a configuration issue.
      The client libraries tested were those packaged with Java WSDP 1.2 and Java WSDP 1.3.

      This behavior wrt redirection may not be required by the JAX-RPC specifications so this may infact be an RFE. However its important to have this fixed/enhanced to use any commerial vendor provided delegated identity/authentication mechanism

      Investigation in process
      ###@###.### 2004-02-24

        Attachments

          Activity

            People

            Assignee:
            chegar Chris Hegarty
            Reporter:
            duke J. Duke (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: