Dear BaseX team, I have problems to get the http:send-request going when using Digest authentication. I get a response as if the password were wrong, although I think it isn't. Request: <http:request method='post' send-authorization='true' username='foofoo' password='secret' auth-method="Digest"> <http:body media-type='text/xml' method='xml'>{$useMsg}</http:body> </http:request>
Response: <http:response xmlns:http="http://expath.org/ns/http-client" status="401" message="Unauthorized"> <http:header name="Server" value="Apache/2.2.22 (Ubuntu)"/> <http:header name="WWW-Authenticate" value="Digest realm="traveltainment", qop="auth", nonce="1424448664077:8d932e72fb644113f4fb1a76f942cf1d", opaque="pcyalPBREdBtyQHIHRxOQPgGANZiOjeW""/> <http:header name="Connection" value="close"/> <http:header name="Vary" value="Accept-Encoding"/> <http:header name="Content-Length" value="954"/> <http:header name="Date" value="Fri, 20 Feb 2015 16:11:04 GMT"/> <http:header name="Content-Type" value="text/html;charset=utf-8"/> </http:response>
Interestingly, a JMeter test using the same URL, user name and password works correctly. (I used copy & paste to transfer the credentials from the JMeter GUI into the XQuery code, and the credentials are just what some documentation tells me; tried of course also typing them in manually.) Using WireShark, I observed the messages sent by JMeter and BaseX, respectively. BaseX does send two requests, as it is supposed to do; but the authorization data sent by the second one are in two respects different from the data sent by JMeter: JMeter sends a field: algorithm="MD5", which BaseX does not, and the cnonce is much longer. (See below for the authorization strings.) I use Java 8, and I suspect the problem is connected with that. I heard rumours that Digest authentication with Java 8 might require a little adaptation of the code. Did you try the module using Java8? Cheers,Hans-Juergen PS: (1) Authentication sent by BaseX, failing: User-Agent:Java/1.8.0_31 Authorization:Digest username=foofoo, realm=traveltainment,nonce=1424448664069:b6ed9add48830631ae90ad27cfcb5c5e,uri=/TTXml-1.6/Dispatcher/Search/Package/RegionList,qop=auth,nc=00000001,cnonce=9b2ff1ce6900217dd6be667aa6f99e12,response=4e35b40dd4ba7d62cd6123d9adebc046,opaque=pcyalPBREdBtyQHIHRxOQPgGANZiOjeW
Authorization:Digest username=foofoo,realm=traveltainment,nonce=1424449896135:5fa18cec34de1a15d8ce2a36df77bd6a,uri=/TTXml-1.6/Dispatcher/Search/Package/RegionList,qop=auth,nc=00000001,cnonce=5be8fce766d843e8ea29936b73ed94c7,response=3757d8fb6cfc4c997030541c58e72d61,opaque=pcyalPBREdBtyQHIHRxOQPgGANZiOjeW (2) Authentication sent by JMeter, successfully (please note the "algorithm" field; also note the much shorter cnonce): User-Agent:Apache-HttpClient/4.2.6 (java 1.5) Autorization:Digest username="foofoo", realm="traveltainment",nonce="1424448476861:032a9011541d271a429d737844ec860a",uri="/TTXml-1.6/Dispatcher/Search/Package/RegionList",response="df6416855e49a0f28cff8020c30ad3a7",qop=auth,nc=00000001,cnonce="c4b43ae817866fb5",algorithm="MD5",opaque="pcyalPBREdBtyQHIHRxOQPgGANZiOjeW" Authorization:Digest username="foofoo", realm="traveltainment", nonce="1424450034667:82c9d9977a208442a7926a948e163e45", uri="/TTXml-1.6/Dispatcher/Search/Package/RegionList",response="74712ad74209c954bfb6e545b5f8670b",qop=auth,nc=00000001,cnonce="788dbfb1ed7a77ef",algorithm="MD5",opaque="pcyalPBREdBtyQHIHRxOQPgGANZiOjeW"