hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ka-Lok Fung (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1545) Possible infinite loop when WindowsNegotiateScheme authentication fails
Date Sun, 12 Oct 2014 08:45:33 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14168571#comment-14168571

Ka-Lok Fung commented on HTTPCLIENT-1545:

There was a case in the original code where it was possible to get an infinite loop if {{InitializeSecurityContext}}
returned an error (doesn't matter what error, I just chose {{SEC_E_DOWNGRADE_DETECTED}} because
it happened in my environment). I fixed it and added this test case to make sure a regression
for this error doesn't happen again.

I agree that the SPN should be {{HTTP/example.com}}. However, before 1619373, it was using
the provided service principle name (which in the default case through {{WinHttpClients}}
would have been {{null}}) OR the username.

While the MSDN documentation doesn't say that {{SEC_E_DOWNGRADE_DETECTED}} can be returned,
it certainly happens in our testing. Our server based authentication provider only supports
Kerberos and not NTLM; perhaps this is the cause for this error message. When this unit test
was run by Oleg on his Windows machine, it didn't happen the {{SEC_E_DOWNGRADE_DETECTED}}
didn't happen for him either.

Hope this clarifies things.


> Possible infinite loop when WindowsNegotiateScheme authentication fails
> -----------------------------------------------------------------------
>                 Key: HTTPCLIENT-1545
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1545
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.4 Alpha1
>         Environment: Windows
>            Reporter: Ka-Lok Fung
>             Fix For: 4.4 Beta1
>         Attachments: HTTPCLIENT-1545.WinXP.diff, HTTPCLIENT-1545.patch.diff, HTTPCLIENT-1545.v2.patch.diff
> When {{WindowsNegotiateScheme}} authentication fails, it's possible for HttpClient to
retry the authentication in an endless loop because the {{continueNeeded}} flag is not set
to {{false}} when authentication fails.
> One possible way of causing authentication to fail is to use a service principle name
that is outside your Windows domain (e.g., HTTP/EXAMPLE.COM).

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message