lilinkevin / rest-assured

Automatically exported from code.google.com/p/rest-assured
0 stars 0 forks source link

auth().basic() doesn't work with DELETE #386

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. given().auth().basic('foo', 'bar').delete('something')

What is the expected output? What do you see instead?
The Authorization header is not sent, while the same authorization works fine 
with POST and GET. To have authorization working with DELETE, I need to 
manually set a proper Authorization header.

What version of the product are you using? On what operating system?
rest-assured 2.4.0
OS X Yosemite
java version "1.8.0_05"

Please provide any additional information below.
When I enable logging with given().log().all().auth().basic(), the 
Authorization header is not logged even for the GET/POST requests (which may be 
another bug), but it seems to be sent, since those requests work (and they 
certainly fail without authorization, which I double checked with curl).

Original issue reported on code.google.com by jacek.ku...@gmail.com on 19 Feb 2015 at 8:55

GoogleCodeExporter commented 9 years ago
Does it work with preemptive basic auth?

Original comment by johan.ha...@gmail.com on 16 Mar 2015 at 11:10

GoogleCodeExporter commented 9 years ago
Yes, preemptive basic auth works fine. Shall we still consider this a bug then?

Original comment by jacek.ku...@gmail.com on 16 Mar 2015 at 3:10

GoogleCodeExporter commented 9 years ago
Don't know. Need to read up upon this. Perhaps non-preemptive basic auth 
shouldn't work with delete or perhaps the challenge is not commenced by the 
server?

Original comment by johan.ha...@gmail.com on 16 Mar 2015 at 3:50

GoogleCodeExporter commented 9 years ago
Looks like the server (which is the Bitbucket REST API) indeed doesn't send an 
authentication request - it immediately sends a 403 instead of a 401 with a 
WWW-Authenticate header.

Original comment by jacek.ku...@gmail.com on 16 Mar 2015 at 4:01

GoogleCodeExporter commented 9 years ago
Ok so that seem explains why it doesn't work. I don't see any reason why basic 
auth shouldn't work with DELETE requests so I think that perhaps it's an 
invalid issue? What do you think?

Original comment by johan.ha...@gmail.com on 16 Mar 2015 at 4:14

GoogleCodeExporter commented 9 years ago
My only concern is why other HTTP methods work with the non-preemptive auth 
(e.g. GET works even though the server behaves similarly to DELETE, i.e. sends 
a 403 instead of a 401 if no auth header is present).

Original comment by jacek.ku...@gmail.com on 17 Mar 2015 at 10:12

GoogleCodeExporter commented 9 years ago
Oh sorry I forgot about that. I know this could be a bit much to ask but would 
it be possible for you to check in wireshark (or something similar) and compare 
the differences between the REST Assured and the "other framework" request when 
you try to do basic auth? Couldn't it be that the other frameworks are indeed 
using preemptive basic auth? It's very hard for me to fix this problem without 
knowing this. I would kind of tumble in the dark. 

Original comment by johan.ha...@gmail.com on 17 Mar 2015 at 11:07