HttpGet 401 status code followed by 200 status code

Question

I am facing a strange behaviour using the Apachage HttpComponent to access a webservice.

I have access to the server log and when I am trying to connect to the server and execute the httpGet command I can see in the log at first a 401 status (http Unauthorized) and then a 200 (http OK).

The 2 attempts take place during the "httpClient.execute(httpGet)"

So I am searching how to avoid this behaviour. Any ideas ?

Here is the following code I am currently using :

HttpGet httpGet = new HttpGet(this.url + request);

HttpParams httpParameters = new BasicHttpParams();
HttpConnectionParams.setConnectionTimeout(httpParameters,3000);
HttpConnectionParams.setSoTimeout(httpParameters,5000);

DefaultHttpClient httpClient = new DefaultHttpClient(httpParameters);
Credentials creds = new UsernamePasswordCredentials(login, password);
httpClient.getCredentialsProvider().setCredentials(new AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT), creds);

HttpResponse response = httpClient.execute(httpGet);
int status = response.getStatusLine().getStatusCode();
Log.v(this, "Response code status: " + status); // code status = 200 (even if a 401 and then a 200 are visible in the server log).

For information, I am using this code for an Android application.

possible duplicate of [Preemptive Basic authentication with Apache HttpClient 4](http://stackoverflow.com/questions/2014700/preemptive-basic-authentication-with-apache-httpclient-4) — Brett Okken, Jan 07 '15 at 13:09

score 4 · Answer 1 · answered Jan 07 '15 at 11:42

4

That is the regular behaviour for a HTTP client: The first request is sent without authentication. If the server returns 401, try again with the required credentials. A web browser would in most cases prompt you for user and password. Since you already provided the credentials in your code it can go ahead and try again.

The result you receive is the response after the request with credentials.

answered Jan 07 '15 at 11:42

Thomas Stets

3,015
4
17
29

Thank you for your answer. Is there any way to force the use of the crendential at the first request ? – Joze Jan 07 '15 at 12:28
1

Not sure. Try googling for "preemptive authentication" – Thomas Stets Jan 07 '15 at 12:32

score 2 · Answer 2 · edited May 23 '17 at 12:33

To solve my problem, I used an answer (Adam Batkin) from another question related to my problem : Preemptive Basic authentication with Apache HttpClient 4 (Thanks Bret Okken for the link).

I finally had the following line :

httpGet.addHeader(BasicScheme.authenticate(creds, "UTF8", false));

To get a code like this :

HttpGet httpGet = new HttpGet(this.url + request);

HttpParams httpParameters = new BasicHttpParams();
HttpConnectionParams.setConnectionTimeout(httpParameters,3000);
HttpConnectionParams.setSoTimeout(httpParameters,5000);

DefaultHttpClient httpClient = new DefaultHttpClient(httpParameters);
Credentials creds = new UsernamePasswordCredentials(login, password);
httpClient.getCredentialsProvider().setCredentials(new AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT), creds);

httpGet.addHeader(BasicScheme.authenticate(creds, "UTF8", false));

HttpResponse response = httpClient.execute(httpGet);
int status = response.getStatusLine().getStatusCode();
Log.v(this, "Response code status: " + status);

Thanks Thomas Stets for the interesting answer.

HttpGet 401 status code followed by 200 status code

2 Answers2

Linked