HTTPCLIENT-2393 - remove rspauth from Authorization (#716)

arturobernalg · arturobernalg · commit 4466cca4a102 · 2025-09-14T19:16:45.000+02:00
RFC 7616 compliance: rspauth is server-side (Authentication-Info §3.5) only. (cherry picked from commit 89da742)
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/DigestScheme.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/DigestScheme.java
@@ -471,7 +471,6 @@ private String createDigestResponse(final HttpRequest request) throws Authentica
             params.add(new BasicNameValuePair("qop", qop == QualityOfProtection.AUTH_INT ? "auth-int" : "auth"));
             params.add(new BasicNameValuePair("nc", nc));
             params.add(new BasicNameValuePair("cnonce", cnonce));
-            params.add(new BasicNameValuePair("rspauth", hasha2));
         }
         if (algorithm != null) {
             params.add(new BasicNameValuePair("algorithm", algorithm));
diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/impl/auth/TestDigestScheme.java b/httpclient5/src/test/java/org/apache/hc/client5/http/impl/auth/TestDigestScheme.java
@@ -903,7 +903,7 @@ void testDigestAuthenticationWithNonAsciiUsername() throws Exception {
     }
 
     @Test
-    void testRspAuthFieldAndQuoting() throws Exception {
+    void testRspAuthFieldNotPresentClient() throws Exception {
         final ClassicHttpRequest request = new BasicClassicHttpRequest("POST", "/");
         final HttpHost host = new HttpHost("somehost", 80);
         final CredentialsProvider credentialsProvider = CredentialsProviderBuilder.create()
@@ -921,7 +921,8 @@ void testRspAuthFieldAndQuoting() throws Exception {
 
         final Map<String, String> table = parseAuthResponse(authResponse);
 
-        Assertions.assertNotNull(table.get("rspauth"));
+        Assertions.assertNotNull(table);
+        Assertions.assertNull(table.get("rspauth"));
     }
 
     @Test

Original file line number	Diff line number	Diff line change
`@@ -471,7 +471,6 @@ private String createDigestResponse(final HttpRequest request) throws Authentica`
`471`	`471`	`params.add(new BasicNameValuePair("qop", qop == QualityOfProtection.AUTH_INT ? "auth-int" : "auth"));`
`472`	`472`	`params.add(new BasicNameValuePair("nc", nc));`
`473`	`473`	`params.add(new BasicNameValuePair("cnonce", cnonce));`
`474`		`- params.add(new BasicNameValuePair("rspauth", hasha2));`
`475`	`474`	`}`
`476`	`475`	`if (algorithm != null) {`
`477`	`476`	`params.add(new BasicNameValuePair("algorithm", algorithm));`
Original file line number	Diff line number	Diff line change
`@@ -903,7 +903,7 @@ void testDigestAuthenticationWithNonAsciiUsername() throws Exception {`
`903`	`903`	`}`
`904`	`904`
`905`	`905`	`@Test`
`906`		`- void testRspAuthFieldAndQuoting() throws Exception {`
	`906`	`+ void testRspAuthFieldNotPresentClient() throws Exception {`
`907`	`907`	`final ClassicHttpRequest request = new BasicClassicHttpRequest("POST", "/");`
`908`	`908`	`final HttpHost host = new HttpHost("somehost", 80);`
`909`	`909`	`final CredentialsProvider credentialsProvider = CredentialsProviderBuilder.create()`
`@@ -921,7 +921,8 @@ void testRspAuthFieldAndQuoting() throws Exception {`
`921`	`921`
`922`	`922`	`final Map<String, String> table = parseAuthResponse(authResponse);`
`923`	`923`
`924`		`- Assertions.assertNotNull(table.get("rspauth"));`
	`924`	`+ Assertions.assertNotNull(table);`
	`925`	`+ Assertions.assertNull(table.get("rspauth"));`
`925`	`926`	`}`
`926`	`927`
`927`	`928`	`@Test`