hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Osipov (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1545) Possible infinite loop when WindowsNegotiateScheme authentication fails
Date Sat, 11 Oct 2014 11:49:33 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14168107#comment-14168107
] 

Michael Osipov commented on HTTPCLIENT-1545:
--------------------------------------------

[~kfung], while this patch makes it work on Windows XP I am confused by the entire test.
First of all, the SPN should be {{HTTP/example.com}}. This is a hostname, not a realm. Second,
when does {{InitializeSecurityContext}} ever return {{SEC_E_DOWNGRADE_DETECTED}}? This isn't
documented in MSDN. It simply does not make sends with SPNEGO. It will automatically downgrade
from Kerberos to NTLM if Kerberos is not possible. I just wrote a simple C program on my Windows
XP box. Acquired Negotiate cred handle, intiated context for {{HTTP/example.com}} and received
NTLM type 1 token.

I can of course retry this at work with Windows in our forest environment but the result should
be the same.

> Possible infinite loop when WindowsNegotiateScheme authentication fails
> -----------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1545
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1545
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.4 Alpha1
>         Environment: Windows
>            Reporter: Ka-Lok Fung
>             Fix For: 4.4 Beta1
>
>         Attachments: HTTPCLIENT-1545.WinXP.diff, HTTPCLIENT-1545.patch.diff, HTTPCLIENT-1545.v2.patch.diff
>
>
> When {{WindowsNegotiateScheme}} authentication fails, it's possible for HttpClient to
retry the authentication in an endless loop because the {{continueNeeded}} flag is not set
to {{false}} when authentication fails.
> One possible way of causing authentication to fail is to use a service principle name
that is outside your Windows domain (e.g., HTTP/EXAMPLE.COM).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message