summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon Rettberg2019-10-11 13:13:44 +0200
committerSimon Rettberg2019-10-11 13:13:44 +0200
commit30f95c630e4e6c4f52ccc3899bcea2612bdf88d8 (patch)
tree50f8a21816cc24ec921baecccb5489f3beebae47
parentSupport retrying authentication without an @... suffix automatically (diff)
downloadecp-client-lean-30f95c630e4e6c4f52ccc3899bcea2612bdf88d8.tar.gz
ecp-client-lean-30f95c630e4e6c4f52ccc3899bcea2612bdf88d8.tar.xz
ecp-client-lean-30f95c630e4e6c4f52ccc3899bcea2612bdf88d8.zip
Unconditionally send Auth header to IdP
The apache HTTP lib "helpfully" tries to talk to the IdP without sending the provided credentials first, and only retries the request with those credentials if the first attempt results in "401 Authorization Required". This apparently breaks with IdP 3.x's integrated ECP support as that always replies with "200 OK", putting an error message in the XML payload of the reply instead, so the apache lib never retries the request with credentials.
-rw-r--r--src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticatorBase.java19
1 files changed, 11 insertions, 8 deletions
diff --git a/src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticatorBase.java b/src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticatorBase.java
index e40097c..980adad 100644
--- a/src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticatorBase.java
+++ b/src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticatorBase.java
@@ -25,11 +25,11 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.http.HttpResponse;
import org.apache.http.HttpStatus;
-import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.AuthenticationException;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.methods.HttpPost;
-import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.entity.StringEntity;
+import org.apache.http.impl.auth.BasicScheme;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
@@ -73,10 +73,8 @@ public abstract class ECPAuthenticatorBase extends Observable {
private HttpResponse exec(Document idpRequest, String user, String pass)
throws ECPAuthenticationException {
- BasicCredentialsProvider bcp = new BasicCredentialsProvider();
- bcp.setCredentials(new AuthScope(authInfo.getIdpEcpEndpoint().getHost(), authInfo.getIdpEcpEndpoint()
- .getPort()), new UsernamePasswordCredentials(user, pass));
- HttpClientContext passwordContext = HttpClientContext.create();
+ UsernamePasswordCredentials creds = new UsernamePasswordCredentials(user, pass);
+ //HttpClientContext passwordContext = HttpClientContext.create();
HttpPost httpPost = new HttpPost(authInfo.getIdpEcpEndpoint().toString());
try {
@@ -86,9 +84,14 @@ public abstract class ECPAuthenticatorBase extends Observable {
throw new ECPAuthenticationException(e1);
}
httpPost.setHeader("Content-Type", "text/xml; charset=utf-8");
- passwordContext.setCredentialsProvider(bcp);
+ //passwordContext.setCredentialsProvider(bcp);
try {
- return client.execute(httpPost, passwordContext);
+ httpPost.addHeader(new BasicScheme().authenticate(creds, httpPost, null));
+ } catch (AuthenticationException e1) {
+ throw new ECPAuthenticationException(e1);
+ }
+ try {
+ return client.execute(httpPost);
} catch (Exception e) {
httpPost.reset();
logger.debug("Could not submit PAOS request to IdP");