[GRADLE-2650] HttpClient forces connection reset while attempting NTLM proxy authentication Created: 23/Jan/13  Updated: 06/Feb/15  Resolved: 24/Jan/13

Status: Resolved
Project: Gradle
Affects Version/s: None
Fix Version/s: 1.4-rc-3

Type: Bug
Reporter: Daz DeBoer Assignee: Unassigned
Resolution: Fixed Votes: 0

Known Issue Of:

 Description   

As related in the forums, certain configuration of authenticating proxy can cause HttpClient to enter an infinite loop, repeatedly re-attempting authentication of the same url.

Examining some log files in detail, it appears that the HttpClient is being reset in the middle of NTLM authentication: the first NTLM authorisation header is being sent and subsequent challenge is received, but the second authorisation request is never sent in response to the challenge.

At this point the debug logs for 1.4-rc-2 look like:

07:45:59.564 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Authorization challenge processed
07:45:59.565 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Connection 0.0.0.0:58759<->XX.XX.XX.XX:8080 closed
07:45:59.565 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Resetting proxy auth state
07:45:59.565 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnectionOperator] Connecting to proxy2-eu.XXX.com:8080
07:45:59.567 [DEBUG] [org.apache.http.client.protocol.RequestAuthCache] Auth cache not set in the context
07:45:59.568 [DEBUG] [org.apache.http.client.protocol.RequestTargetAuthentication] Target auth state: UNCHALLENGED
07:45:59.568 [DEBUG] [org.apache.http.client.protocol.RequestProxyAuthentication] Proxy auth state: UNCHALLENGED

while the debug logs for 1.3 look like:

07:49:55.378 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Authorization challenge processed
07:49:55.379 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Connection 0.0.0.0:59864<->XX.XX.XX.XX:8080 closed
07:49:55.379 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnectionOperator] Connecting to proxy2-eu.XXX.com:8080
07:49:55.381 [DEBUG] [org.apache.http.client.protocol.RequestAuthCache] Auth cache not set in the context
07:49:55.382 [DEBUG] [org.apache.http.client.protocol.RequestTargetAuthentication] Target auth state: UNCHALLENGED
07:49:55.382 [DEBUG] [org.apache.http.client.protocol.RequestProxyAuthentication] Proxy auth state: HANDSHAKE

The following line looks suspicious in 1.4:

07:45:59.565 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Resetting proxy auth state

I think this might be related to the following fix that was put into HttpClient 4.2.3 (which we are not using):

  • SystemDefaultHttpClient misinterprets 'http.keepAlive' default value and disables
    connection persistence if the system property is not set. This causes connection
    based authentication schemes such as NTLM to fail.


 Comments   
Comment by Daz DeBoer [ 24/Jan/13 ]

HttpClient 4.2.2 does not correctly treat the default value of http.keepAlive ("true"). So if the system property is not set, "false" is assumed.

When http.keepAlive is "false", then proxy authentication is reset when a connection is closed, as happens in the middle of a 2 phase authentication protocol like NTLM.

When this happens, HttpClient reattempts the entire authentication process, leading to an infinite loop.

Gradle works-around this bug by always setting the "http.keepAlive" system property to "true".

Comment by vijay gudimella [ 05/Dec/13 ]

This is still a problem in 1.9 (it failed even in 1.6). Same dependencies requested from Maven, Leiningen works fine.

2:38:23.696 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnectionOperator] Connecting to XX.XX.XX.XX:8080
22:38:23.792 [DEBUG] [org.apache.http.client.protocol.RequestAddCookies] CookieSpec selected: best-match
22:38:23.792 [DEBUG] [org.apache.http.client.protocol.RequestAuthCache] Auth cache not set in the context
22:38:23.793 [DEBUG] [org.apache.http.client.protocol.RequestTargetAuthentication] Target auth state: UNCHALLENGED
22:38:23.793 [DEBUG] [org.apache.http.client.protocol.RequestProxyAuthentication] Proxy auth state: CHALLENGED
22:38:23.794 [DEBUG] [org.apache.http.client.protocol.RequestProxyAuthentication] Generating response to an authentication challenge using ntlm scheme
22:38:23.794 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Attempt 32 to execute request
22:38:23.795 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Sending request: HEAD http://repo1.maven.org/maven2/commons-collections/commons-collections/3.2/commons-collections-3.2.pom HTTP/1.1
22:38:23.795 [DEBUG] [org.apache.http.headers] >> HEAD http://repo1.maven.org/maven2/commons-collections/commons-collections/3.2/commons-collections-3.2.pom HTTP/1.1
22:38:23.796 [DEBUG] [org.apache.http.headers] >> Accept-Encoding: gzip,deflate
22:38:23.797 [DEBUG] [org.apache.http.headers] >> Host: repo1.maven.org
22:38:23.797 [DEBUG] [org.apache.http.headers] >> Proxy-Connection: Keep-Alive
22:38:23.797 [DEBUG] [org.apache.http.headers] >> User-Agent: Gradle/1.9 (Windows 7;6.1;amd64) (Oracle Corporation;1.7.0_11;23.6-b04)
22:38:23.798 [DEBUG] [org.apache.http.headers] >> Proxy-Authorization: NTLM XYZSOMEVALUE==
22:38:23.891 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Receiving response: HTTP/1.1 407 authenticationrequired
22:38:23.892 [DEBUG] [org.apache.http.headers] << HTTP/1.1 407 authenticationrequired
22:38:23.892 [DEBUG] [org.apache.http.headers] << Via: 1.1 xx.xx.xx.xx (McAfee Web Gateway xx.xx.xx.xx.0.16052)
22:38:23.893 [DEBUG] [org.apache.http.headers] << Content-Type: text/html
22:38:23.893 [DEBUG] [org.apache.http.headers] << Cache-Control: no-cache
22:38:23.894 [DEBUG] [org.apache.http.headers] << Proxy-Connection: Keep-Alive
22:38:23.894 [DEBUG] [org.apache.http.headers] << Proxy-Authenticate: NTLM XXXXSOMEVALUE
22:38:23.895 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Authentication required
22:38:23.895 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] XX.XX.XX.XX:8080 requested authentication
22:38:23.895 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Authorization challenge processed
22:38:23.896 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnection] Connection 0.0.0.0:55508<->XX.XX.XX.XX:8080 closed
22:38:23.897 [DEBUG] [org.apache.http.impl.client.SystemDefaultHttpClient] Resetting proxy auth state
22:38:23.897 [DEBUG] [org.apache.http.impl.conn.DefaultClientConnectionOperator] Connecting to XX.XX.XX.XX:8080
22:38:23.991 [DEBUG] [org.apache.http.client.protocol.RequestAddCookies] CookieSpec selected: best-match

Generated at Wed Jun 30 12:27:42 CDT 2021 using Jira 8.4.2#804003-sha1:d21414fc212e3af190e92c2d2ac41299b89402cf.