hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oleg Kalnichevski (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HTTPCLIENT-1067) Cross realm authentication doesn't work
Date Mon, 07 Mar 2011 10:24:59 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1067?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13003312#comment-13003312
] 

Oleg Kalnichevski commented on HTTPCLIENT-1067:
-----------------------------------------------

Gaurav,

Your code uses two classes (KrbException and Config) from Sun internal package 'sun.security.krb5'
which makes it non-portable to other JREs. Can the #mapDomainToRealm method be implemented
using public JRE only?

Oleg

> Cross realm authentication doesn't work
> ---------------------------------------
>
>                 Key: HTTPCLIENT-1067
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1067
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.1 Final
>            Reporter: Gaurav Singhal
>              Labels: httpclient
>         Attachments: NegotiateScheme.java
>
>
> Cross realm authentication doesn't work because of incomplete server SPN passed into
GSS-API.
> Class Name: NegotiateScheme
> Line # 205 (GSSName serverName = manager.createName("HTTP/" + authServer, null);)
> This piece of code doesn't append the server realm while creating name. Because of null
server realm, jdk always append default realm by reading krb5.conf file. but there can be
case where server realm is different than default realm configured in krb5.conf file.
> Modified code:
> ----------------------------------------------------------------------------------------------------------------------------------------
> String strServerName = Krb5Utility.mapDomainToRealm(authServer);
> strServerName = strServerName == null ? "" : ("@" + strServerName);
> GSSName serverName = manager.createName("HTTP/" + authServer + strServerName, null);
> ----------------------------------------------------------------------------------------------------------------------------------------
> Krb5Utility.mapDomainToRealm method code
> ----------------------------------------------------------------------------------------------------------------------------------------
> public static String mapDomainToRealm(String name) {
> 	String result = null;
> 	try {
> 		String subname = null;
> 		Config c = Config.getInstance();
> 		if ((result = c.getDefault(name, "domain_realm")) != null)
> 			return result;
> 		else {
> 			for (int i = 1; i < name.length(); i++) {
> 				// mapping could be .ibm.com = AUSTIN.IBM.COM
> 				if ((name.charAt(i) == '.') && (i != name.length() - 1)) {
> 					subname = name.substring(i);
> 					result = c.getDefault(subname, "domain_realm");
> 					if (result != null) {
> 						break;
> 					} else {
> 						// or mapping could be ibm.com = AUSTIN.IBM.COM
> 						subname = name.substring(i + 1);
> 						result = c.getDefault(subname, "domain_realm");
> 						if (result != null) {
> 							break;
> 						}
> 					}
> 				}
> 			}
> 		}
> 	} catch (KrbException e) {
> 	}
> 	return result;
> }
> ----------------------------------------------------------------------------------------------------------------------------------------

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message