{
private readonly HttpMessageHandler _innerHandler;
private readonly bool _preAuthenticate;
- private readonly ICredentials _credentials;
+ private ICredentials _credentials;
private AuthenticationHelper.DigestResponse _digestResponse;
public AuthenticationHandler(bool preAuthenticate, ICredentials credentials, HttpMessageHandler innerHandler)
HttpResponseMessage response = await _innerHandler.SendAsync(request, cancellationToken).ConfigureAwait(false);
- if (!_preAuthenticate && response.StatusCode == HttpStatusCode.Unauthorized)
+ // In case of redirection, ensure _credentials as CredentialCache
+ if (response.StatusCode == HttpStatusCode.MultipleChoices ||
+ response.StatusCode == HttpStatusCode.Moved ||
+ response.StatusCode == HttpStatusCode.Found ||
+ response.StatusCode == HttpStatusCode.SeeOther ||
+ response.StatusCode == HttpStatusCode.TemporaryRedirect)
+ {
+ // Just as with WinHttpHandler and CurlHandler, for security reasons, we drop the server credential if it is
+ // anything other than a CredentialCache. We allow credentials in a CredentialCache since they
+ // are specifically tied to URIs.
+ _credentials = _credentials as CredentialCache;
+ }
+ else if (_credentials != null && !_preAuthenticate && response.StatusCode == HttpStatusCode.Unauthorized)
{
HttpHeaderValueCollection<AuthenticationHeaderValue> authenticateValues = response.Headers.WwwAuthenticate;
[Fact]
public async Task GetAsync_CredentialIsNetworkCredentialUriRedirect_StatusCodeUnauthorized()
{
- if (ManagedHandlerTestHelpers.IsEnabled)
- {
- // TODO #23129: The managed handler is currently getting Ok when it should be getting Unauthorized.
- return;
- }
-
var handler = new HttpClientHandler();
handler.Credentials = _credential;
using (var client = new HttpClient(handler))