hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: Progress of HTTPCLIENT-1625/open questions
Date Tue, 07 Apr 2015 10:04:13 GMT
On Mon, 2015-04-06 at 22:15 +0200, Michael Osipov wrote:
> Am 2015-04-06 um 18:12 schrieb Oleg Kalnichevski:
> > On Mon, 2015-04-06 at 16:26 +0200, Michael Osipov wrote:
> >> Hi folks,
> >>
> >> I have finally started coding of that issue. While I was able to write a
> >> working prototype within an hour authenticating against Apache Tomcat
> >> and Apache Web Server, an issue arose I am not really clear about:
> >>
> >> Is a credentials provider always necessary for a target host?
> >
> > Yes, it is.
> 
> Thanks, that did the trick!
> 
> >> In other
> >> words, do I always need something like this:
> >> CredentialsProvider p = new BasicCredentialsProvider();
> >> p.setCredentials(AuthScope.ANY, new
> >> UsernamePasswordCredentials("mumu:mumu"));
> >> builder.setDefaultCredentialsProvider(p);
> >>
> >> Although the credential is by default obtained at runtime?
> >> I have noticed that authentication is not executed if no cred provider
> >> is set and the logs are not very chatty about that.
> >>
> >
> > This whole concept of the auth APIs goes back to the days of HC 2.0 and
> > it remained virtually unchanged in HC 3.x and HC 4.x. The auth APIs were
> > primarily designed to work well with standard auth schemes like BASIC
> > and DIGEST and similar password based auth schemes. Things like Kerberos
> > and native Windows auth were not properly factored it at that point of
> > time. We can think of a better abstraction for HC 5, but for now we will
> > have to live with what we have.
> 
> I'll keep that in mind.
> 
> While I have gained some progress now, the client is not behaving the 
> way I expect it. The AuthScheme impl is called, sends the first token 
> which is accepted by the server and the response token is sent. That is, 
> unfortunately, completely ignored. The HttpAuthenticator says 
> "Authentication succeeded" and ignores #isConnetionBased and 
> #isCompleted. Here is a wire log:
> 
> Requesting: http://server.company.net:8080/manager/html
> [main] DEBUG org.apache.http.client.protocol.RequestAddCookies - 
> CookieSpec selected: default
> [main] DEBUG org.apache.http.client.protocol.RequestAuthCache - Auth 
> cache not set in the context
> [main] DEBUG 
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager - 
> Connection request: [route: {}->http://server.company.net:8080][total 
> kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
> [main] DEBUG 
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager - 
> Connection leased: [id: 0][route: 
> {}->http://server.company.net:8080][total kept alive: 0; route 
> allocated: 1 of 2; total allocated: 1 of 20]
> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Opening 
> connection {}->http://server.company.net:8080
> [main] DEBUG 
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - 
> Connecting to server.company.net/1.2.3.4:8080
> [main] DEBUG 
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - 
> Connection established 2.3.4.5:44647<->1.2.3.4:8080
> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing 
> request GET /manager/html HTTP/1.1
> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth 
> state: UNCHALLENGED
> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth 
> state: UNCHALLENGED
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> GET 
> /manager/html HTTP/1.1
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Host: 
> server.company.net:8080
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Connection: 
> Keep-Alive
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent: 
> Apache-HttpClient/UNAVAILABLE (Java/1.7.0_76)
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> 
> Accept-Encoding: gzip,deflate
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << HTTP/1.1 401 
> Unauthorized
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Server: 
> Apache-Coyote/1.1
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Cache-Control: 
> private
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Expires: Thu, 
> 01 Jan 1970 01:00:00 CET
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << 
> WWW-Authenticate: Negotiate
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Content-Type: 
> text/html;charset=utf-8
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << 
> Content-Length: 974
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Date: Mon, 06 
> Apr 2015 19:43:27 GMT
> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection 
> can be kept alive indefinitely
> [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - 
> Authentication required
> [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - 
> server.company.net:8080 requested authentication
> [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - 
> Authentication schemes in the order of preference: [Negotiate, Kerberos, 
> NTLM, Digest, Basic]
> [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - 
> Challenge for Kerberos authentication scheme not available
> [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - 
> Challenge for NTLM authentication scheme not available
> [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - 
> Challenge for Digest authentication scheme not available
> [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - 
> Challenge for Basic authentication scheme not available
> [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Selected 
> authentication options: [NEGOTIATE]
> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing 
> request GET /manager/html HTTP/1.1
> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth 
> state: CHALLENGED
> [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Generating 
> response to an authentication challenge using Negotiate scheme
> [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - Using 
> HttpContext org.apache.http.client.protocol.HttpClientContext@cc357d
> [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - Starting 
> GSS-based authentication for scheme 'Negotiate' (1.3.6.1.5.5.2)
> [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - GSS context for 
> target host with SPN 'HTTP@server.company.net' created
> [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - GSS context 
> establishment is in progress
> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth 
> state: UNCHALLENGED
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> GET 
> /manager/html HTTP/1.1
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Host: 
> server.company.net:8080
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Connection: 
> Keep-Alive
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent: 
> Apache-HttpClient/UNAVAILABLE (Java/1.7.0_76)
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> 
> Accept-Encoding: gzip,deflate
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Authorization: 
> Negotiate YIIYwwYGKwY...
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << HTTP/1.1 200 OK
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Server: 
> Apache-Coyote/1.1
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Cache-Control: 
> private
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Expires: Thu, 
> 01 Jan 1970 01:00:00 CET
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << 
> WWW-Authenticate: Negotiate oYHtMIHqoAM...

Oh, Holy Mother. WWW-Authenticate in a 200 response? Really?

> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Connection: close
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Set-Cookie: 
> JSESSIONID=190AF68553CDB68F46FCB330D4A2CC61; Path=/manager; HttpOnly
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Content-Type: 
> text/html;charset=utf-8
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << 
> Transfer-Encoding: chunked
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << 
> Content-Encoding: gzip
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Vary: 
> Accept-Encoding
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Date: Mon, 06 
> Apr 2015 19:43:27 GMT
> [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - 
> Authentication succeeded
> [main] DEBUG org.apache.http.client.protocol.ResponseProcessCookies - 
> Cookie accepted [JSESSIONID="190AF68553CDB68F46FCB330D4A2CC61", 
> version:0, domain:server.company.net, path:/manager, expiry:null]
> [...response body...]
> [main] DEBUG 
> org.apache.http.impl.conn.DefaultManagedHttpClientConnection - 
> http-outgoing-0: Shutdown connection
> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection 
> discarded
> [main] DEBUG 
> org.apache.http.impl.conn.DefaultManagedHttpClientConnection - 
> http-outgoing-0: Close connection
> [main] DEBUG 
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager - 
> Connection released: [id: 0][route: 
> {}->http://server.company.net:8080][total kept alive: 0; route 
> allocated: 0 of 2; total allocated: 0 of 20]
> 
> My IN_PROGRESS case is never triggered and the response token is not 
> read by #parseChallenge.
> 
> While I do not intend to debug all necessary auth code, I highly suspect 
> that the client does not call the AuthScheme impl just because the 
> server responses with 200 OK along with the token.
> 
> Edit: I did a quick hack 
> AuthenticationStrategyImpl#isAuthenticationRequested to accept 200 OK 
> too and it did continue auth and completes the context but the response 
> is completely discarded and another request is issued.
> 
> Any ideas?
> 

I see no way around adding something hideous like that to
HttpAuthenticator#isAuthenticationRequested

---
if (authState.getAuthScheme() instanceof SPNegoScheme) {
    final SPNegoScheme spNegoScheme = (SPNegoScheme)
authState.getAuthScheme();
    final Header header =
response.getFirstHeader(spNegoScheme.isProxy() ? AUTH.PROXY_AUTH :
AUTH.WWW_AUTH);
    if (header != null) {
        try {
            spNegoScheme.processChallenge(header);
        } catch (MalformedChallengeException ignore) {
        }
    }
}
---

Oleg


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message