Return-Path: X-Original-To: apmail-cxf-users-archive@www.apache.org Delivered-To: apmail-cxf-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BB2C0189CD for ; Tue, 28 Apr 2015 10:54:47 +0000 (UTC) Received: (qmail 78238 invoked by uid 500); 28 Apr 2015 10:54:47 -0000 Delivered-To: apmail-cxf-users-archive@cxf.apache.org Received: (qmail 78172 invoked by uid 500); 28 Apr 2015 10:54:47 -0000 Mailing-List: contact users-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cxf.apache.org Delivered-To: mailing list users@cxf.apache.org Received: (qmail 78158 invoked by uid 99); 28 Apr 2015 10:54:46 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Apr 2015 10:54:46 +0000 Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 523D31A0437 for ; Tue, 28 Apr 2015 10:54:46 +0000 (UTC) Received: by wief7 with SMTP id f7so14076142wie.0 for ; Tue, 28 Apr 2015 03:54:45 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.194.63.9 with SMTP id c9mr5030344wjs.143.1430218485066; Tue, 28 Apr 2015 03:54:45 -0700 (PDT) Reply-To: coheigea@apache.org Received: by 10.28.39.7 with HTTP; Tue, 28 Apr 2015 03:54:45 -0700 (PDT) In-Reply-To: <553E677C.1050509@dm.cobite.com> References: <553E677C.1050509@dm.cobite.com> Date: Tue, 28 Apr 2015 11:54:45 +0100 Message-ID: Subject: Re: canonicalized host name for kerberos (SPNEGO) From: Colm O hEigeartaigh To: "users@cxf.apache.org" Content-Type: multipart/alternative; boundary=047d7b86d48ac0f4d70514c6b08f --047d7b86d48ac0f4d70514c6b08f Content-Type: text/plain; charset=UTF-8 Would you be willing to submit a patch for this? Colm. On Mon, Apr 27, 2015 at 5:44 PM, David Mansfield wrote: > Hi All, > > Most (*) SPNEGO client implementations will canonicalize a host name when > using it to create a service principal. > > CXF seems to be an exception. If a CNAME is used, say: > mywebservice.example.com is a CNAME for > sysadmins-like-really-long-hostnames.example.com, most setups will expect > a request for HTTP/ > sysadmins-like-really-long-hostnames.example.com@EXAMPLE.COM. In this > case, CXF will not be able to authenticate. > > I note, is IS possible to specify the servicePrincipalName directly, but > that breaks the transparency of using a CNAME in the first place, as the > configuration will need to reference the specific back-end providing the > service. > > Providing hostname canonicalization will fix the need to "know" about the > details behind the scenes. > > As this behavior would be a defaults-changing one, maybe we could add > useCanonicalHostname=true/false (default false I guess). > > Implementation-wise, I think you need to get the socket, and then: > > socket.getInetAddress().getCanonicalHostName() > > This would replace: > uri.getHost() > > that is currently used in > org.apache.cxf.transport.http.auth.AbstractSpnegoAuthSupplier > > > (*) Most that I have personally used :-) > > -- > Thanks, > David Mansfield > Cobite, INC. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com --047d7b86d48ac0f4d70514c6b08f--