basic authorization header lost on https REST webservice

[bartbaas]

Good morning,

We found out this morning that on a REST webservice resource, the header of basic authentication seems to be dropped in communication when using an https url.

We set up a REST webservice, and for the default endpoint we configured endpoint security as follows:
tab http-security, enable http authentication, type basic, set a username and password to &&username and &&password
(we set those dynamically, based on an environment variable)

The logging (debug checked) returns that we wish to authenticate through negotiation, which is the default behaviour when no authorization header is used:
HTTP/1.0 401 <html><head><title>Error</title></head><body>Unauthorized</body></html>
Strict-Transport-Security:max-age=15552000; includeSubDomains; preload&Cache-Control:no-cache, no-store, must-revalidate&Server:JBoss-EAP/7&WWW-Authenticate:Negotiate&Connection:keep-alive&Set-Cookie:NSC_JOcw2eu5doappvmeyuypkhc0v0trvcm=ffffffff092a3a5845525d5f4f58455e445a4a4229a0;Version=1;Max-Age=120;path=/;secure;httponly&Expires:0&Pragma:no-cache&Content-Length:71&Date:Tue, 15 Mar 2022 09:23:37 GMT&X-Powered-By:Undertow/1&Content-Type:text/html;charset=UTF-8

We confirmed this by using curl to do the same POST request. With header, good response, without, a 401 response like above.

[bartbaas]

We managed a workaround for now by adding a Authorization header specifically, containing the same information

[Steve]

Hi Bart,

It looks as though the REST resource does not do the negotiate part. I will add this to our bug system to be investigated.

Kind regards

Steve

[Steve]

Hi Bart,

I think this might be an issue with Apache Http Client... We pass on all the authentication to that.

If you are using pre 5.10.2.. please add the following logger to log4j.xml:

<logger name="org.apache.http" additivity="false">
<level value="ALL" />
<appender-ref ref="SYSLOG"/>
</logger>

If you are using 5.10.2 please add the following logger to log4j2.xml:

<Logger name="org.apache.http" level="ALL" additivity="false">
<AppenderRef ref="Console" />
<AppenderRef ref="File" />
</Logger>

These files can be found in the following location:

Verjio-Install-Dir\UserData\Server\apps\ebase\ebaseConf

if you are using the embedded server in the studio:

C:\Users\<username>\Verjio\Studio\embeddedServer\app\ebaseConf

Restart the server and try again and then send snippet from the log to support@ebasetech.com :

The logs location is here:

Verjio-Install-Dir\UserData\Server\apps\ebase\logs

Kind regards

Steve

[bartbaas]

Thanks! I'll gather the logging and post it here.

[bartbaas]

Please find attached the logfile. It seems it tries basic authentication last, but fails.
I can't find any authorization header either.

[bartbaas]

Ah "The extension log is not allowed." as zip, then

[Steve]

Hi Bart,

Thanks for the logs.. you are right. The Authorization header is no attempted after the WWW-Authenticate is returned.

I still think this is a bug with the Apache HttpClient we are using. But it could also be our implementation of the Basic Authentication .. as it just passes this onto HttpClient.

I will need to investigate further. But your workaround by explicitly setting the Authorize header would be the only short term fix for this.

Kind regards

Steve