Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Preemptively send authentication credentials in WMSHttpHelper #1284

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

patlkli
Copy link

@patlkli patlkli commented Jun 28, 2024

While trying to cache a WMS layer from another GeoServer instance that requires authentication, I noticed that GeoWebCache didn't manage to perform any successful requests to that upstream GeoServer.

While digging into that issue, I noticed that httpcomponents will only send credentials when challenged by the server.
Since that GeoServer had publicly available layers, it would just respond with 404 instead of 401, so WMSHttpHelper wouldn't try it again with credentials.

Before moving from commons-httpclient to httpcomponents in 8beede1, WMSHttpHelper was sending authentication credentials preemptively. This behaviour changed after the move.

In fact, httpcomponents doesn't seem to have any mechanism to force preemptive authentication except for explicitly setting the Authorization header. So that's exactly what this PR does.

Just as a side note, BasicScheme.authenticate doesn't actually ever throw AuthenticationException, that's why it's re-thrown as an AssertionError here.

Before moving from commons-httpclient to httpcomponents in 8beede1,
WMSHttpHelper was sending authentication credentials preemptively.

httpcomponents doesn't seem to have any mechanism to force preemptive
authentication except for explicitly setting the Authorization header,
which is what this commit does.
@aaime
Copy link
Member

aaime commented Jul 15, 2024

@ianturton you worked on the HTTP components upgrade. Any observation about the preemptive authentication change?

@jodygarnett
Copy link
Contributor

I am not sure what to with this PR, do we have a test or a downstream integration test or any way to ensure this does something?

@ianturton
Copy link
Contributor

I can't really comment on the change - it looks fine but I can't think of how to test it for real unless we have an authenticated server to test against.

@aaime
Copy link
Member

aaime commented Oct 25, 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants