hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Osipov <micha...@apache.org>
Subject Re: Progress of HTTPCLIENT-1625/open questions
Date Tue, 07 Apr 2015 11:23:08 GMT
Am 2015-04-07 um 12:04 schrieb Oleg Kalnichevski:
> On Mon, 2015-04-06 at 22:15 +0200, Michael Osipov wrote:
>> Am 2015-04-06 um 18:12 schrieb Oleg Kalnichevski:
>>> On Mon, 2015-04-06 at 16:26 +0200, Michael Osipov wrote:
>>>> Hi folks,
>>>>
>>>> I have finally started coding of that issue. While I was able to write a
>>>> working prototype within an hour authenticating against Apache Tomcat
>>>> and Apache Web Server, an issue arose I am not really clear about:
>>>>
>>>> Is a credentials provider always necessary for a target host?
>>>
>>> Yes, it is.
>>
>> Thanks, that did the trick!
>>
>>>> In other
>>>> words, do I always need something like this:
>>>> CredentialsProvider p = new BasicCredentialsProvider();
>>>> p.setCredentials(AuthScope.ANY, new
>>>> UsernamePasswordCredentials("mumu:mumu"));
>>>> builder.setDefaultCredentialsProvider(p);
>>>>
>>>> Although the credential is by default obtained at runtime?
>>>> I have noticed that authentication is not executed if no cred provider
>>>> is set and the logs are not very chatty about that.
>>>>
>>>
>>> This whole concept of the auth APIs goes back to the days of HC 2.0 and
>>> it remained virtually unchanged in HC 3.x and HC 4.x. The auth APIs were
>>> primarily designed to work well with standard auth schemes like BASIC
>>> and DIGEST and similar password based auth schemes. Things like Kerberos
>>> and native Windows auth were not properly factored it at that point of
>>> time. We can think of a better abstraction for HC 5, but for now we will
>>> have to live with what we have.
>>
>> I'll keep that in mind.
>>
>> While I have gained some progress now, the client is not behaving the
>> way I expect it. The AuthScheme impl is called, sends the first token
>> which is accepted by the server and the response token is sent. That is,
>> unfortunately, completely ignored. The HttpAuthenticator says
>> "Authentication succeeded" and ignores #isConnetionBased and
>> #isCompleted. Here is a wire log:
>>
>> Requesting: http://server.company.net:8080/manager/html
>> [main] DEBUG org.apache.http.client.protocol.RequestAddCookies -
>> CookieSpec selected: default
>> [main] DEBUG org.apache.http.client.protocol.RequestAuthCache - Auth
>> cache not set in the context
>> [main] DEBUG
>> org.apache.http.impl.conn.PoolingHttpClientConnectionManager -
>> Connection request: [route: {}->http://server.company.net:8080][total
>> kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
>> [main] DEBUG
>> org.apache.http.impl.conn.PoolingHttpClientConnectionManager -
>> Connection leased: [id: 0][route:
>> {}->http://server.company.net:8080][total kept alive: 0; route
>> allocated: 1 of 2; total allocated: 1 of 20]
>> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Opening
>> connection {}->http://server.company.net:8080
>> [main] DEBUG
>> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator -
>> Connecting to server.company.net/1.2.3.4:8080
>> [main] DEBUG
>> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator -
>> Connection established 2.3.4.5:44647<->1.2.3.4:8080
>> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing
>> request GET /manager/html HTTP/1.1
>> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth
>> state: UNCHALLENGED
>> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth
>> state: UNCHALLENGED
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> GET
>> /manager/html HTTP/1.1
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Host:
>> server.company.net:8080
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Connection:
>> Keep-Alive
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent:
>> Apache-HttpClient/UNAVAILABLE (Java/1.7.0_76)
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 >>
>> Accept-Encoding: gzip,deflate
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 << HTTP/1.1 401
>> Unauthorized
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Server:
>> Apache-Coyote/1.1
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Cache-Control:
>> private
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Expires: Thu,
>> 01 Jan 1970 01:00:00 CET
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 <<
>> WWW-Authenticate: Negotiate
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Content-Type:
>> text/html;charset=utf-8
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 <<
>> Content-Length: 974
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Date: Mon, 06
>> Apr 2015 19:43:27 GMT
>> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection
>> can be kept alive indefinitely
>> [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator -
>> Authentication required
>> [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator -
>> server.company.net:8080 requested authentication
>> [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy -
>> Authentication schemes in the order of preference: [Negotiate, Kerberos,
>> NTLM, Digest, Basic]
>> [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy -
>> Challenge for Kerberos authentication scheme not available
>> [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy -
>> Challenge for NTLM authentication scheme not available
>> [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy -
>> Challenge for Digest authentication scheme not available
>> [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy -
>> Challenge for Basic authentication scheme not available
>> [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Selected
>> authentication options: [NEGOTIATE]
>> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing
>> request GET /manager/html HTTP/1.1
>> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth
>> state: CHALLENGED
>> [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Generating
>> response to an authentication challenge using Negotiate scheme
>> [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - Using
>> HttpContext org.apache.http.client.protocol.HttpClientContext@cc357d
>> [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - Starting
>> GSS-based authentication for scheme 'Negotiate' (1.3.6.1.5.5.2)
>> [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - GSS context for
>> target host with SPN 'HTTP@server.company.net' created
>> [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - GSS context
>> establishment is in progress
>> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth
>> state: UNCHALLENGED
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> GET
>> /manager/html HTTP/1.1
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Host:
>> server.company.net:8080
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Connection:
>> Keep-Alive
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent:
>> Apache-HttpClient/UNAVAILABLE (Java/1.7.0_76)
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 >>
>> Accept-Encoding: gzip,deflate
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Authorization:
>> Negotiate YIIYwwYGKwY...
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 << HTTP/1.1 200 OK
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Server:
>> Apache-Coyote/1.1
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Cache-Control:
>> private
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Expires: Thu,
>> 01 Jan 1970 01:00:00 CET
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 <<
>> WWW-Authenticate: Negotiate oYHtMIHqoAM...
>
> Oh, Holy Mother. WWW-Authenticate in a 200 response? Really?

Absolutely, it can happen on any response code, at least 2xx and 3xx 
because HTTP is crappy for that. The token you see in the mutual 
response token from the server which NTLM for example does not have. 
Type 2 message reponds with a 401. That is the reason why NTLM works in 
HttpClient. I consider every module for SPNEGO and Kerberos in 
HttpClient as not working and not usable.

In theory, authentication has to be completed before application 
protocol starts. This is how SASL does it and others. HTTP is unlucky here.

Here is a better example from our corporate Subversion server on Apache 
Web Server:

Requesting: https://server.company.net/repos/svn/X2TC
[main] DEBUG org.apache.http.client.protocol.RequestAddCookies - 
CookieSpec selected: default
[main] DEBUG org.apache.http.client.protocol.RequestAuthCache - Auth 
cache not set in the context
[main] DEBUG 
org.apache.http.impl.conn.PoolingHttpClientConnectionManager - 
Connection request: [route: {s}->https://server.company.net:443][total 
kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
[main] DEBUG 
org.apache.http.impl.conn.PoolingHttpClientConnectionManager - 
Connection leased: [id: 2][route: 
{s}->https://server.company.net:443][total kept alive: 0; route 
allocated: 1 of 2; total allocated: 1 of 20]
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Opening 
connection {s}->https://server.company.net:443
[main] DEBUG 
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - 
Connecting to server.company.net/<server IP>:443
[main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - 
Connecting socket to server.company.net/<server IP>:443 with timeout 0
[main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - 
Enabled protocols: [TLSv1]
[main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - 
Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, 
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, 
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 
TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, 
TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, 
SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
[main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - 
Starting handshake
[main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - 
Secure session established
[main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - 
negotiated protocol: TLSv1
[main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - 
negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
[main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory -  peer 
principal: CN=server.company.net, C=DE, O=...
[main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - 
issuer principal: CN=...
[main] DEBUG 
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - 
Connection established <server IP>:44700<-><server IP>:443
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing 
request GET /repos/svn/X2TC HTTP/1.1
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth 
state: SUCCESS
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth 
state: UNCHALLENGED
[main] DEBUG org.apache.http.headers - http-outgoing-2 >> GET 
/repos/svn/X2TC HTTP/1.1
[main] DEBUG org.apache.http.headers - http-outgoing-2 >> Host: 
server.company.net
[main] DEBUG org.apache.http.headers - http-outgoing-2 >> Connection: 
Keep-Alive
[main] DEBUG org.apache.http.headers - http-outgoing-2 >> User-Agent: 
Apache-HttpClient/UNAVAILABLE (Java/1.7.0_76)
[main] DEBUG org.apache.http.headers - http-outgoing-2 >> 
Accept-Encoding: gzip,deflate
[main] DEBUG org.apache.http.headers - http-outgoing-2 << HTTP/1.1 401 
Authorization Required
[main] DEBUG org.apache.http.headers - http-outgoing-2 << Date: Mon, 06 
Apr 2015 19:47:28 GMT
[main] DEBUG org.apache.http.headers - http-outgoing-2 << Server: 
Apache/2.2.29 (FreeBSD) SVN/1.8.11 PHP/5.4.38 mod_ssl/2.2.29 
OpenSSL/1.0.2a DAV/2
[main] DEBUG org.apache.http.headers - http-outgoing-2 << 
WWW-Authenticate: Negotiate
[main] DEBUG org.apache.http.headers - http-outgoing-2 << 
Content-Length: 553
[main] DEBUG org.apache.http.headers - http-outgoing-2 << Keep-Alive: 
timeout=5, max=1000
[main] DEBUG org.apache.http.headers - http-outgoing-2 << Connection: 
Keep-Alive
[main] DEBUG org.apache.http.headers - http-outgoing-2 << Content-Type: 
text/html; charset=iso-8859-1
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection 
can be kept alive for 5000 MILLISECONDS
[main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - 
Authentication required
[main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - 
server.company.net:443 requested authentication
[main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - 
Authentication schemes in the order of preference: [Negotiate, Kerberos, 
NTLM, Digest, Basic]
[main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - 
Challenge for Kerberos authentication scheme not available
[main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - 
Challenge for NTLM authentication scheme not available
[main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - 
Challenge for Digest authentication scheme not available
[main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - 
Challenge for Basic authentication scheme not available
[main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Selected 
authentication options: [NEGOTIATE]
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing 
request GET /repos/svn/X2TC HTTP/1.1
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth 
state: CHALLENGED
[main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Generating 
response to an authentication challenge using Negotiate scheme
[main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - Using 
HttpContext org.apache.http.client.protocol.HttpClientContext@cc357d
[main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - Starting 
GSS-based authentication for scheme 'Negotiate' (1.3.6.1.5.5.2)
[main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - GSS context for 
target host with SPN 'HTTP@server.company.net' created
[main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - GSS context 
establishment is in progress
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth 
state: UNCHALLENGED
[main] DEBUG org.apache.http.headers - http-outgoing-2 >> GET 
/repos/svn/X2TC HTTP/1.1
[main] DEBUG org.apache.http.headers - http-outgoing-2 >> Host: 
server.company.net
[main] DEBUG org.apache.http.headers - http-outgoing-2 >> Connection: 
Keep-Alive
[main] DEBUG org.apache.http.headers - http-outgoing-2 >> User-Agent: 
Apache-HttpClient/UNAVAILABLE (Java/1.7.0_76)
[main] DEBUG org.apache.http.headers - http-outgoing-2 >> 
Accept-Encoding: gzip,deflate
[main] DEBUG org.apache.http.headers - http-outgoing-2 >> Authorization: 
Negotiate YIIYwwYGKwYBBQUCoIIYtz...
[main] DEBUG org.apache.http.headers - http-outgoing-2 << HTTP/1.1 301 
Moved Permanently
[main] DEBUG org.apache.http.headers - http-outgoing-2 << Date: Mon, 06 
Apr 2015 19:47:29 GMT
[main] DEBUG org.apache.http.headers - http-outgoing-2 << Server: 
Apache/2.2.29 (FreeBSD) SVN/1.8.11 PHP/5.4.38 mod_ssl/2.2.29 
OpenSSL/1.0.2a DAV/2
[main] DEBUG org.apache.http.headers - http-outgoing-2 << 
WWW-Authenticate: Negotiate oYGgMIGdoAMKAQCh...
[main] DEBUG org.apache.http.headers - http-outgoing-2 << Location: 
https://server.company.net/repos/svn/X2TC/
[main] DEBUG org.apache.http.headers - http-outgoing-2 << 
Content-Length: 410
[main] DEBUG org.apache.http.headers - http-outgoing-2 << Keep-Alive: 
timeout=5, max=999
[main] DEBUG org.apache.http.headers - http-outgoing-2 << Connection: 
Keep-Alive
[main] DEBUG org.apache.http.headers - http-outgoing-2 << Content-Type: 
text/html; charset=iso-8859-1
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection 
can be kept alive for 5000 MILLISECONDS
[main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - 
Authentication succeeded
[main] DEBUG org.apache.http.impl.client.DefaultRedirectStrategy - 
Redirect requested to location 'https://server.company.net/repos/svn/X2TC/'
[main] DEBUG org.apache.http.impl.execchain.RedirectExec - Resetting 
target auth state
[main] DEBUG org.apache.http.impl.execchain.RedirectExec - Redirecting 
to 'https://server.company.net/repos/svn/X2TC/' via 
{s}->https://server.company.net:443
[main] DEBUG 
org.apache.http.impl.conn.PoolingHttpClientConnectionManager - 
Connection [id: 2][route: {s}->https://server.company.net:443] can be 
kept alive for 5.0 seconds
[main] DEBUG 
org.apache.http.impl.conn.PoolingHttpClientConnectionManager - 
Connection released: [id: 2][route: 
{s}->https://server.company.net:443][total kept alive: 1; route 
allocated: 1 of 2; total allocated: 1 of 20]
[main] DEBUG org.apache.http.client.protocol.RequestAddCookies - 
CookieSpec selected: default
[main] DEBUG org.apache.http.client.protocol.RequestAuthCache - Auth 
cache not set in the context
[main] DEBUG 
org.apache.http.impl.conn.PoolingHttpClientConnectionManager - 
Connection request: [route: {s}->https://server.company.net:443][total 
kept alive: 1; route allocated: 1 of 2; total allocated: 1 of 20]
[main] DEBUG 
org.apache.http.impl.conn.PoolingHttpClientConnectionManager - 
Connection leased: [id: 2][route: 
{s}->https://server.company.net:443][total kept alive: 0; route 
allocated: 1 of 2; total allocated: 1 of 20]
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing 
request GET /repos/svn/X2TC/ HTTP/1.1
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth 
state: UNCHALLENGED
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth 
state: UNCHALLENGED
[main] DEBUG org.apache.http.headers - http-outgoing-2 >> GET 
/repos/svn/X2TC/ HTTP/1.1
[main] DEBUG org.apache.http.headers - http-outgoing-2 >> Host: 
server.company.net
[main] DEBUG org.apache.http.headers - http-outgoing-2 >> Connection: 
Keep-Alive
[main] DEBUG org.apache.http.headers - http-outgoing-2 >> User-Agent: 
Apache-HttpClient/UNAVAILABLE (Java/1.7.0_76)
[main] DEBUG org.apache.http.headers - http-outgoing-2 >> 
Accept-Encoding: gzip,deflate
[main] DEBUG org.apache.http.headers - http-outgoing-2 << HTTP/1.1 200 OK
[main] DEBUG org.apache.http.headers - http-outgoing-2 << Date: Mon, 06 
Apr 2015 19:47:29 GMT
[main] DEBUG org.apache.http.headers - http-outgoing-2 << Server: 
Apache/2.2.29 (FreeBSD) SVN/1.8.11 PHP/5.4.38 mod_ssl/2.2.29 
OpenSSL/1.0.2a DAV/2
[main] DEBUG org.apache.http.headers - http-outgoing-2 << Last-Modified: 
Thu, 02 Apr 2015 09:12:12 GMT
[main] DEBUG org.apache.http.headers - http-outgoing-2 << ETag: W/"1063//"
[main] DEBUG org.apache.http.headers - http-outgoing-2 << Accept-Ranges: 
bytes
[main] DEBUG org.apache.http.headers - http-outgoing-2 << 
Content-Length: 730
[main] DEBUG org.apache.http.headers - http-outgoing-2 << Keep-Alive: 
timeout=5, max=998
[main] DEBUG org.apache.http.headers - http-outgoing-2 << Connection: 
Keep-Alive
[main] DEBUG org.apache.http.headers - http-outgoing-2 << Content-Type: 
text/html; charset=UTF-8
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection 
can be kept alive for 5000 MILLISECONDS
<...response body...>
[main] DEBUG 
org.apache.http.impl.conn.PoolingHttpClientConnectionManager - 
Connection [id: 2][route: {s}->https://server.company.net:443] can be 
kept alive for 5.0 seconds
[main] DEBUG 
org.apache.http.impl.conn.PoolingHttpClientConnectionManager - 
Connection released: [id: 2][route: 
{s}->https://server.company.net:443][total kept alive: 1; route 
allocated: 1 of 2; total allocated: 1 of 20]
[main] DEBUG 
org.apache.http.impl.conn.PoolingHttpClientConnectionManager - 
Connection manager is shutting down
[main] DEBUG 
org.apache.http.impl.conn.DefaultManagedHttpClientConnection - 
http-outgoing-2: Close connection
[main] DEBUG 
org.apache.http.impl.conn.DefaultManagedHttpClientConnection - 
http-outgoing-2: Close connection
[main] DEBUG 
org.apache.http.impl.conn.PoolingHttpClientConnectionManager - 
Connection manager shut down

GET, 401, GET with token, 301 with token, redirected GET, 200. The 
server persists the auth on the connection.

>> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Connection: close
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Set-Cookie:
>> JSESSIONID=190AF68553CDB68F46FCB330D4A2CC61; Path=/manager; HttpOnly
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Content-Type:
>> text/html;charset=utf-8
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 <<
>> Transfer-Encoding: chunked
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 <<
>> Content-Encoding: gzip
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Vary:
>> Accept-Encoding
>> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Date: Mon, 06
>> Apr 2015 19:43:27 GMT
>> [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator -
>> Authentication succeeded
>> [main] DEBUG org.apache.http.client.protocol.ResponseProcessCookies -
>> Cookie accepted [JSESSIONID="190AF68553CDB68F46FCB330D4A2CC61",
>> version:0, domain:server.company.net, path:/manager, expiry:null]
>> [...response body...]
>> [main] DEBUG
>> org.apache.http.impl.conn.DefaultManagedHttpClientConnection -
>> http-outgoing-0: Shutdown connection
>> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection
>> discarded
>> [main] DEBUG
>> org.apache.http.impl.conn.DefaultManagedHttpClientConnection -
>> http-outgoing-0: Close connection
>> [main] DEBUG
>> org.apache.http.impl.conn.PoolingHttpClientConnectionManager -
>> Connection released: [id: 0][route:
>> {}->http://server.company.net:8080][total kept alive: 0; route
>> allocated: 0 of 2; total allocated: 0 of 20]
>>
>> My IN_PROGRESS case is never triggered and the response token is not
>> read by #parseChallenge.
>>
>> While I do not intend to debug all necessary auth code, I highly suspect
>> that the client does not call the AuthScheme impl just because the
>> server responses with 200 OK along with the token.
>>
>> Edit: I did a quick hack
>> AuthenticationStrategyImpl#isAuthenticationRequested to accept 200 OK
>> too and it did continue auth and completes the context but the response
>> is completely discarded and another request is issued.
>>
>> Any ideas?
>>
>
> I see no way around adding something hideous like that to
> HttpAuthenticator#isAuthenticationRequested
>
> ---
> if (authState.getAuthScheme() instanceof SPNegoScheme) {
>      final SPNegoScheme spNegoScheme = (SPNegoScheme)
> authState.getAuthScheme();
>      final Header header =
> response.getFirstHeader(spNegoScheme.isProxy() ? AUTH.PROXY_AUTH :
> AUTH.WWW_AUTH);
>      if (header != null) {
>          try {
>              spNegoScheme.processChallenge(header);
>          } catch (MalformedChallengeException ignore) {
>          }
>      }
> }

I fear that this is not enough because it does not suffice to process 
the challenge but after that AuthScheme#authenticate must be called to 
continue the context. If you say that #processChallange takes in tokens 
from the server and #authenticate responds to the server, I have to 
rethink about my code/approach. All current schemes are structured the 
way I have written the new code.

Somewhat a deadend which has not been designed the way needed in HttpClient.

Michael


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message