Closed jerseyrobot closed 10 years ago
@glassfishrobot Commented Reported by russabaker_yahoo.com
@glassfishrobot Commented @mpotociar said: Reclassifying as improvement.
@glassfishrobot Commented @mpotociar said: This issue has most likely been fixed in Jersey 2.x ApacheConnector. Will not fix in Jersey 1.x.
@glassfishrobot Commented This issue was imported from java.net JIRA JERSEY-2186
@glassfishrobot Commented Marked as won't fix on Friday, February 7th 2014, 10:59:54 am
ApacheHtpClient4Handler does not use the recommended approach from httpcomponents for per client/per thread usage as stated in this URL http://hc.apache.org/httpcomponents-client-4.2.x/tutorial/html/statemgmt.html This is resulting in cookies being shared across requests when the HttpClient and the ApacheHttpClient4Handler are reused. Obviously this is a problem in an environment that is protected by an authentication system such as the Central Authentication Service (CAS) http://www.jasig.org/cas.
The httcomponents site recommends that a BasicCookieStore be created and placed into a local context where the httpclient.execute() method is called.
For instance:
BasicHttpContext newLocalContext = new org.apache.http.protocol.BasicHttpContext(); BasicCookieStore basicCookieStore = new org.apache.http.impl.client.BasicCookieStore(); newLocalContext.setAttribute(org.apache.http.client.protocol.ClientContext.COOKIE_STORE,basicCookieStore); httpclient.execute(...,newLocalContext);
This ensures that the cookie store will be associated with the current request and NOT shared across multiple requests.
Environment
all
Affected Versions
[1.17]