HTTP Authentication - Java Http Client is missing header that is present via curl

Question

I'm trying to send a simple GET to an HTTP endpoint with java.net.http.HttpClient. The endpoint requires basic authentication. Simple enough, I'm doing what everyone's doing:

HttpClient httpClient = HttpClient.newBuilder()
                                  .version(HttpClient.Version.HTTP_1_1)
                                  .authenticator(new Authenticator(){
                                    @Override
                                    protected PasswordAuthentication getPasswordAuthentication() {
                                      return new PasswordAuthentication("guest","guest".toCharArray());
                                    }
                                   })
                                  .build();
HttpRequest request = HttpRequest.newBuilder()
                                 .GET()
                                 .uri(URI.create("localhost:15672/api/overview")
                                 .build();
HttpResponse<Void> httpResponse = httpClient.send(request, HttpResponse.BodyHandlers.discarding());

However, this throws an IOException "WWW-Authenticate header missing for response code 401". It is not completely unreasonable to me that the server initially responds with 401 and the client then re-tries the request with the help of the Authenticator. The header is mandatory and if it is absent, that warrants an exception.

So far, so good. However, when I do the same request via curl, the header is present:

> curl -i http://localhost:15672/api/overview
HTTP/1.1 401 Unauthorized
content-length: 0
content-security-policy: script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'self'
date: Thu, 08 Jul 2021 11:06:45 GMT
server: Cowboy
vary: origin
www-authenticate: Basic realm="RabbitMQ Management"

What am I doing wrong here?

On Java 17, ran into the same problem. I had to build the Authorzation header from scratch (Basic + base64 encoding username and password) and add it on the request. — Sean Anderson, Jul 17 '22 at 17:06
Same for me with JDK 11, manually building the headers worked. — Karim Sonbol, Sep 02 '22 at 14:14

score 0 · Accepted Answer · answered Jul 09 '21 at 07:01

In the mean time I found out what the problem was: The server I'm contacting is buggy. The first GET returned exactly what is shown as the curl result. The Java HttpClient reacted correctly and sent a second GET with credentials. The credentials were wrong (for testing purposes) but the response was not a 403 as one would expect, but another 401 and this second 401 response is the one missing the header.

lance-java · Answer 2 · 2021-07-08T12:30:42.330

-1

For basic authorization, you can do

String plainCreds = "myuser:mypassword";
byte[] base64Bytes = Base64.encodeBase64(plainCreds.getBytes());

HttpRequest request = HttpRequest.newBuilder()
   .get()
   .uri(URI.create("localhost:15672/api/overview"))
   .header("Authorization", "Basic " + new String(base64Bytes))
   .build();

edited Jul 08 '21 at 12:30

answered Jul 08 '21 at 12:25

lance-java

25,497
4
59
101

I know, but I want to know why my approach does not work. The Java Http Client should do this automatically if I understand correctly. It also does not explain why I'm getting the exception. – Johannes Hahn Jul 08 '21 at 12:45
I believe you should be using [BasicCredentialsProvider](https://www.baeldung.com/httpclient-4-basic-authentication) instead of PasswordAuthentication – lance-java Jul 08 '21 at 14:59
That is for the Apache HttpClient, not the JDK one – Johannes Hahn Jul 08 '21 at 19:48

HTTP Authentication - Java Http Client is missing header that is present via curl

2 Answers2