hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Osipov (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HTTPCLIENT-1545) Possible infinite loop when WindowsNegotiateScheme authentication fails
Date Sun, 12 Oct 2014 15:54:33 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14168688#comment-14168688
] 

Michael Osipov edited comment on HTTPCLIENT-1545 at 10/12/14 3:53 PM:
----------------------------------------------------------------------

bq. There was a case in the original code where it was possible to get an infinite loop if
{{InitializeSecurityContext}} returned an error (doesn't matter what error, I just chose {{SEC_E_DOWNGRADE_DETECTED}}
because it happened in my environment). I fixed it and added this test case to make sure a
regression for this error doesn't happen again.

Understood, that is why I would rather throw {{SEC_E_TARGET_UNKNOWN}}.

bq. However, before 1619373, it was using the provided service principle name (which in the
default case through WinHttpClients would have been null) OR the username.

It is a misconception to pass the current username as SPN or pass a null/non-null SPN to a
factory at configuration time. This is a purely runtime-related parameter which must be retrieved
from the context only. It makes [this pass|https://github.com/apache/httpclient/blob/trunk/httpclient-win/src/main/java/org/apache/http/impl/auth/win/WindowsNegotiateSchemeFactory.java#L57]
obsolete.

bq. Our server based authentication provider only supports Kerberos and not NTLM

Neither is correct. Please have a look [here|https://github.com/apache/httpclient/blob/trunk/httpclient-win/src/main/java/org/apache/http/impl/client/WinHttpClients.java#L71].
NTLM and SPNEGO are supported. Kerberos is not directly supported. Are you referring to your
setup at work? If so, I have a bigger range of servers available for testing here.

Anyway, I will try all of that stuff next week at work and see how it behaves.


was (Author: michael-o):
bq. There was a case in the original code where it was possible to get an infinite loop if
{{InitializeSecurityContext}} returned an error (doesn't matter what error, I just chose {{SEC_E_DOWNGRADE_DETECTED}}
because it happened in my environment). I fixed it and added this test case to make sure a
regression for this error doesn't happen again.

Understood, that is why I would rather throw {{SEC_E_TARGET_UNKNOWN}}.

bq. However, before 1619373, it was using the provided service principle name (which in the
default case through WinHttpClients would have been null) OR the username.

It is a misconception to pass the current username as SPN or pass a null/non-null SPN to a
factory at configuration time. This is a purely runtime-related parameter which must be retrieved
from the context only. It makes [this pass|https://github.com/apache/httpclient/blob/trunk/httpclient-win/src/main/java/org/apache/http/impl/auth/win/WindowsNegotiateSchemeFactory.java#L57]
obsolete.

bq. Our server based authentication provider only supports Kerberos and not NTLM

Neither is correct. Please have a look [here|https://github.com/apache/httpclient/blob/trunk/httpclient-win/src/main/java/org/apache/http/impl/client/WinHttpClients.java#L71].
NTLM and SPNEGO are support. Kerberos is not directly supported.

Anyway, I will try all of that stuff next week at work and see how it behaves.

> Possible infinite loop when WindowsNegotiateScheme authentication fails
> -----------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1545
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1545
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.4 Alpha1
>         Environment: Windows
>            Reporter: Ka-Lok Fung
>             Fix For: 4.4 Beta1
>
>         Attachments: HTTPCLIENT-1545.WinXP.diff, HTTPCLIENT-1545.patch.diff, HTTPCLIENT-1545.v2.patch.diff
>
>
> When {{WindowsNegotiateScheme}} authentication fails, it's possible for HttpClient to
retry the authentication in an endless loop because the {{continueNeeded}} flag is not set
to {{false}} when authentication fails.
> One possible way of causing authentication to fail is to use a service principle name
that is outside your Windows domain (e.g., HTTP/EXAMPLE.COM).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message