diff options
author | Simon Rettberg | 2019-10-11 13:13:44 +0200 |
---|---|---|
committer | Simon Rettberg | 2019-10-11 13:13:44 +0200 |
commit | 30f95c630e4e6c4f52ccc3899bcea2612bdf88d8 (patch) | |
tree | 50f8a21816cc24ec921baecccb5489f3beebae47 | |
parent | Support retrying authentication without an @... suffix automatically (diff) | |
download | ecp-client-lean-30f95c630e4e6c4f52ccc3899bcea2612bdf88d8.tar.gz ecp-client-lean-30f95c630e4e6c4f52ccc3899bcea2612bdf88d8.tar.xz ecp-client-lean-30f95c630e4e6c4f52ccc3899bcea2612bdf88d8.zip |
Unconditionally send Auth header to IdP
The apache HTTP lib "helpfully" tries to talk to the IdP without sending
the provided credentials first, and only retries the request with those
credentials if the first attempt results in "401 Authorization
Required". This apparently breaks with IdP 3.x's integrated ECP support
as that always replies with "200 OK", putting an error message in the
XML payload of the reply instead, so the apache lib never retries the
request with credentials.
-rw-r--r-- | src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticatorBase.java | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticatorBase.java b/src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticatorBase.java index e40097c..980adad 100644 --- a/src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticatorBase.java +++ b/src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticatorBase.java @@ -25,11 +25,11 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory;
import org.apache.http.HttpResponse;
import org.apache.http.HttpStatus;
-import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.AuthenticationException;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.methods.HttpPost;
-import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.entity.StringEntity;
+import org.apache.http.impl.auth.BasicScheme;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
@@ -73,10 +73,8 @@ public abstract class ECPAuthenticatorBase extends Observable { private HttpResponse exec(Document idpRequest, String user, String pass)
throws ECPAuthenticationException {
- BasicCredentialsProvider bcp = new BasicCredentialsProvider();
- bcp.setCredentials(new AuthScope(authInfo.getIdpEcpEndpoint().getHost(), authInfo.getIdpEcpEndpoint()
- .getPort()), new UsernamePasswordCredentials(user, pass));
- HttpClientContext passwordContext = HttpClientContext.create();
+ UsernamePasswordCredentials creds = new UsernamePasswordCredentials(user, pass);
+ //HttpClientContext passwordContext = HttpClientContext.create();
HttpPost httpPost = new HttpPost(authInfo.getIdpEcpEndpoint().toString());
try {
@@ -86,9 +84,14 @@ public abstract class ECPAuthenticatorBase extends Observable { throw new ECPAuthenticationException(e1);
}
httpPost.setHeader("Content-Type", "text/xml; charset=utf-8");
- passwordContext.setCredentialsProvider(bcp);
+ //passwordContext.setCredentialsProvider(bcp);
try {
- return client.execute(httpPost, passwordContext);
+ httpPost.addHeader(new BasicScheme().authenticate(creds, httpPost, null));
+ } catch (AuthenticationException e1) {
+ throw new ECPAuthenticationException(e1);
+ }
+ try {
+ return client.execute(httpPost);
} catch (Exception e) {
httpPost.reset();
logger.debug("Could not submit PAOS request to IdP");
|