Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 357719

Summary: HTTP authentication fails when server returns multiple WWW-Authenticate headers
Product: [Technology] JGit Reporter: Tim Pettersen <tim>
Component: JGitAssignee: Project Inbox <jgit.core-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: matthias.sohn
Version: unspecified   
Target Milestone: 3.0.2   
Hardware: PC   
OS: Windows XP   
Whiteboard:

Description Tim Pettersen CLA 2011-09-15 00:25:03 EDT 
Build Identifier: M20090917-0800

The first line of  org.eclipse.jgit.transport.HttpAuthMethod#scanResponse(HttpURLConnection) checks the response returned from the Git server for a "WWW-Authenticate" header. However, if there a multiple WWW-Authenticate headers defined (which is valid, servers may support multiple methods of authentication) it will only check the last one, and declare that no supported auth challenge was found if it doesn't contain Basic or Digest.

Instead, it should iterate through the available WWW-Authenticate headers, checking whether any of them contain a supported authentication method.

Reproducible: Always
Comment 1 Matthias Sohn CLA 2011-09-29 05:05:05 EDT 
this is a problem in JGit
Comment 2 Matthias Sohn CLA 2013-06-20 19:17:00 EDT 
proposed patch by Alex Rukhlin https://git.eclipse.org/r/#/c/13285/
Comment 3 Matthias Sohn CLA 2013-06-23 18:03:22 EDT 
merged as 98dd6e6abdba75d05f03b5b073659efe53182dc6
Comment 4 Matthias Sohn CLA 2013-08-26 02:28:22 EDT 
cherry-picked for 3.0.2