hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ka-Lok Fung (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1545) Possible infinite loop when WindowsNegotiateScheme authentication fails
Date Sun, 12 Oct 2014 17:43:33 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14168731#comment-14168731

Ka-Lok Fung commented on HTTPCLIENT-1545:

If you prefer to throw {{SEC_E_TARGET_UNKNOWN}} in the unit test that's fine. The error code
choice is pretty arbitrary.

Even though that 1) it's true that that the SPN should be dynamically generated and 2) the
code is currently tagged as experimental, I'm hesitant to break an interface that is already
used by existing clients of HttpClient-win - I don't like breaking existing interfaces. I
guess we could deprecate that API first.

When I talk about NTLM and SPNEGO support, I'm talking about server side support, not client
side support. A backend server could support Kerberos through SPNEGO using [MIT Kerberos libraries|http://web.mit.edu/kerberos/].
Of course, HttpClient should support both connecting to servers that only support Kerberos,
as well as that only support NTLM and those that support both.

> Possible infinite loop when WindowsNegotiateScheme authentication fails
> -----------------------------------------------------------------------
>                 Key: HTTPCLIENT-1545
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1545
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.4 Alpha1
>         Environment: Windows
>            Reporter: Ka-Lok Fung
>             Fix For: 4.4 Beta1
>         Attachments: HTTPCLIENT-1545.WinXP.diff, HTTPCLIENT-1545.patch.diff, HTTPCLIENT-1545.v2.patch.diff
> When {{WindowsNegotiateScheme}} authentication fails, it's possible for HttpClient to
retry the authentication in an endless loop because the {{continueNeeded}} flag is not set
to {{false}} when authentication fails.
> One possible way of causing authentication to fail is to use a service principle name
that is outside your Windows domain (e.g., HTTP/EXAMPLE.COM).

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message