HTTP digest authentication against remote SPARQL endpoint broken when using latest AuthLib approach (jena-arq)

[costas80]

When switching to the latest approach to authenticate against a remote SPARQL endpoint using digest authentication I noticed that authentication no longer worked.

Looking into the jena-arq code the problem seems to be with class org.apache.jena.http.auth.AuthLib and specifically method handle401(). In here, when method DigestLib.buildDigest() is called, the request method and request target parameters seem to be passed in inverse order. Doing a simple debug on my end and switching these values around seems to resolve the issue.

Could you please confirm on your end? If yes, then I would be happy to submit a PR that resolves this.

[afs]

It is wrong - I'll added some tests for digest auth that are missing.

Please do submit a PR.

[costas80]

PR ready. I would be happy to make the update also for the 4.3.2 release (which I am currently using). To do this do you need to create first a relevant branch in the jena repo?

[afs]

The project works on a release tick cycle - release every 3-4 months.

We have a finite amount of people time. So the community has to decide what they want. Bug fix releases would mean less elsewhere.

We have settled on the regular (every 3-4 months) releases and use @deprecated to signal changes rather than run multiple development release branches. Jena isn't in a state of large-scale changes.

4.3.1 was important because it updates to log4j 2.16.0 and the log4j security issues.

Jena 4.4.0 further updates to log4j 2.17.1. You should be able to use Jena 4.4.0 (and Jena 4.5.0).

The fix is now in the code base and the next run of snapshot builds (I've just kicked off a build) will put the development snapshots into: https://repository.apache.org/content/groups/snapshots/org/apache/jena/

[costas80]

Thanks @afs . I accept your point on multiple development branches and will plan an upgrade to the latest version.

[afs]

Tests for digest auth added.