From 30f95c630e4e6c4f52ccc3899bcea2612bdf88d8 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Fri, 11 Oct 2019 13:13:44 +0200 Subject: Unconditionally send Auth header to IdP The apache HTTP lib "helpfully" tries to talk to the IdP without sending the provided credentials first, and only retries the request with those credentials if the first attempt results in "401 Authorization Required". This apparently breaks with IdP 3.x's integrated ECP support as that always replies with "200 OK", putting an error message in the XML payload of the reply instead, so the apache lib never retries the request with credentials. --- .../edu/kit/scc/dei/ecplean/ECPAuthenticatorBase.java | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticatorBase.java b/src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticatorBase.java index e40097c..980adad 100644 --- a/src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticatorBase.java +++ b/src/main/java/edu/kit/scc/dei/ecplean/ECPAuthenticatorBase.java @@ -25,11 +25,11 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.http.HttpResponse; import org.apache.http.HttpStatus; -import org.apache.http.auth.AuthScope; +import org.apache.http.auth.AuthenticationException; import org.apache.http.auth.UsernamePasswordCredentials; import org.apache.http.client.methods.HttpPost; -import org.apache.http.client.protocol.HttpClientContext; import org.apache.http.entity.StringEntity; +import org.apache.http.impl.auth.BasicScheme; import org.apache.http.impl.client.BasicCredentialsProvider; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; @@ -73,10 +73,8 @@ public abstract class ECPAuthenticatorBase extends Observable { private HttpResponse exec(Document idpRequest, String user, String pass) throws ECPAuthenticationException { - BasicCredentialsProvider bcp = new BasicCredentialsProvider(); - bcp.setCredentials(new AuthScope(authInfo.getIdpEcpEndpoint().getHost(), authInfo.getIdpEcpEndpoint() - .getPort()), new UsernamePasswordCredentials(user, pass)); - HttpClientContext passwordContext = HttpClientContext.create(); + UsernamePasswordCredentials creds = new UsernamePasswordCredentials(user, pass); + //HttpClientContext passwordContext = HttpClientContext.create(); HttpPost httpPost = new HttpPost(authInfo.getIdpEcpEndpoint().toString()); try { @@ -86,9 +84,14 @@ public abstract class ECPAuthenticatorBase extends Observable { throw new ECPAuthenticationException(e1); } httpPost.setHeader("Content-Type", "text/xml; charset=utf-8"); - passwordContext.setCredentialsProvider(bcp); + //passwordContext.setCredentialsProvider(bcp); try { - return client.execute(httpPost, passwordContext); + httpPost.addHeader(new BasicScheme().authenticate(creds, httpPost, null)); + } catch (AuthenticationException e1) { + throw new ECPAuthenticationException(e1); + } + try { + return client.execute(httpPost); } catch (Exception e) { httpPost.reset(); logger.debug("Could not submit PAOS request to IdP"); -- cgit v1.2.3-55-g7522