hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matthew Stevenson (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HTTPCLIENT-523) SPNEGO authentication scheme
Date Mon, 22 Jun 2009 21:34:07 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12722842#action_12722842
] 

Matthew Stevenson commented on HTTPCLIENT-523:
----------------------------------------------

Below should work with Jboss Negotiation package with jdk 1.6. IIS7 works with Kerberos v5
Oid, Jboss does not. Not sure about other implementations. Would be nice if SPNEGO was back
ported to 1.5 but not going to happen.

   protected void init(String server) throws GSSException {
        LOG.debug("init " + server);
        /* Kerberos v5 GSS-API mechanism defined in RFC 1964.*/
        // Oid krb5Oid = new Oid("1.2.840.113554.1.2.2");
       
        /* Using the SPNEGO OID seems to be the correct method.
        * Above Kerberos v5 works for IIS but not JBoss. Unwrapping
        * the initial token when using SPNEGO OID looks like what is
        * described here...
        *
        * http://msdn.microsoft.com/en-us/library/ms995330.aspx
        *
        * Another helpful URL...
        *
        * http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_token.html
        *
        * Unfortunately SPNEGO is JRE >=1.6.
        */
       
        String javaVersion = System.getProperty("java.runtime.version");
        LOG.debug("System.getProperty(\"java.runtime.version\") = " + javaVersion);
        Oid negotiationOid = null;
        if( javaVersion.matches("1\\.6.*") ){
            LOG.debug("Using SPNEGO OID");
            negotiationOid  = new Oid("1.3.6.1.5.5.2");
        }else{
            LOG.debug("Using Kerberos OID");
            negotiationOid  = new Oid("1.2.840.113554.1.2.2");
        }
        GSSManager manager = GSSManager.getInstance();
        GSSName serverName = manager.createName("HTTP/"+server, null);
        context = manager.createContext(  serverName.canonicalize(negotiationOid),
                negotiationOid, null,
                GSSContext.DEFAULT_LIFETIME);
        context.requestMutualAuth(true);
        context.requestCredDeleg(true);
        state = INITIATED;
    }

> SPNEGO authentication scheme
> ----------------------------
>
>                 Key: HTTPCLIENT-523
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-523
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpAuth
>    Affects Versions: Snapshot
>         Environment: Operating System: All
> Platform: All
>            Reporter: Mikael Wikström
>            Priority: Minor
>             Fix For: 4.1.0
>
>         Attachments: bcsLogin.conf, CustomAuthenticationNegotiateExample.java, CustomAuthenticationNegotiateExample.java,
KerberosHttpClient.zip, NegotiateScheme.java, NegotiateScheme.java, run.sh, submitclient.tar.gz
>
>
> Consider integrating the SPNEGO auth scheme from Commons HttpClient contrib package into
HttpClient 4.0

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message