You are not getting an authorization header field because of the digest authentication workflow. See here for more details, but basically:
- Client makes a request with no
Authorization
header Server responds with a 401 status and a
WWW-Authenticate
header that looks something like:Digest realm="testrealm@host.com", qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41"
Client repeats the request with the correct
Authorization
header now that it has digest info from server
From the client side, this is all handled by the Jersey HTTPDigestAuthFilter
. So, the filter makes the request without an Authorization
header first, and your server should return a 401 status with a WWW-Authenticate
header that has the necessary Digest info. Then the filter repeats the request with the correct Authorization
header, and your server should authenticate and return the content.
After this initial handshake, the HTTPDigestAuthFilter
remembers the necessary digest info, so for all requests after the very first request, the Authorization
header will be included.