DigestAuthenticator QOP_AUTH_INT
chrisjenx opened this issue · 1 comments
chrisjenx commented
Sooo while scanning through the code I came across this gem in the DigestAuthenticator class.
// Method ":" digest-uri-value ":" H(entity-body)
RequestBody entity = null;
if (request.body() != null) {
entity = request.body();
}
if (entity != null) {
// If the entity is not repeatable, try falling back onto QOP_AUTH
if (qopset.contains("auth")) {
qop = QOP_AUTH;
a2 = method + ':' + uri;
} else {
throw new AuthenticationException("Qop auth-int cannot be used with " +
"a non-repeatable entity");
}
} else {
final HttpEntityDigester entityDigester = new HttpEntityDigester(digester);
try {
if (entity != null) {
entity.writeTo(entityDigester);
}
entityDigester.close();
} catch (final IOException ex) {
throw new AuthenticationException("I/O error reading entity content", ex);
}
a2 = method + ':' + uri + ':' + encode(entityDigester.getDigest());
}
You will never ever get the entity to writeTo the entityDigester.
Also checking body() is not null before applying it to something that can be null is a bit weird...
rburgst commented
Hmm, you are correct, this is straight from Apache HC