#1729 Authentication is unnecessary sent

[Ahmed Ashour]

For the below code, authentication is send to the second website, even if it is not the specified host.

Possible area is MainClientExec.execute()

    try (final WebClient webClient = new WebClient(BrowserVersion.CHROME)) {
        DefaultCredentialsProvider credentials = new DefaultCredentialsProvider();
        credentials.addCredentials("httpwatch", "hi", "www.httpwatch.com", -1, null);
        webClient.setCredentialsProvider(credentials);

        String url = "https://www.httpwatch.com/httpgallery/authentication/authenticatedimage/default.aspx?0.8471780607942492";
        webClient.getPage(url);
        System.out.println("---------------------------------------");

        // authentication is also sent here
        webClient.getPage("http://htmlunit.sf.net");
    }

[RBRi]

Did some debugging for this. The root of the problem seems to be the reuse of the HttpContext for different hosts/ports/realms/schemes.

[Hartmut Arlt]

Exactly Ronald. But a feasible fix might be to unconditionally remove the target auth state from the context and use a shared authentication cache for all threads of a web client such that authentication is done only once (if needed). Patch attached.

Tests with this modification worked fine for me.

In case the proxy (and its authentication) is expected to change during the lifetime of a web-client instance, the proxy auth state needs to be removed as well.

Thx,
H

[RBRi]

Patch applied

[Hartmut Arlt]

Thanks Ronald. Looks good to me.

[RBRi]

Great, will close this.