hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Osipov (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1625) Completely overhaul GSS-API-based authentication backend
Date Tue, 07 Apr 2015 18:54:12 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1625?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14483787#comment-14483787
] 

Michael Osipov commented on HTTPCLIENT-1625:
--------------------------------------------

Hi Moritz, 

just checked your code. It does something completely different and uses the current implementation,
which does not work by the way. Just a question: why do you need preemptive auth here? A {{GET}}
with 401 is extremely cheap and {{POST}} and {{PUT}} with curl against Tomcat with SPNEGO
is a snap.

Yes, you are right. I wouldn't recommend it to anyone right now.

About the port thing, I have not found anything about that in the RFC 4120, chapter 6.2.1.
So, this is solely Microsoft. I (highly) doubt that JGSS and MIT Kerberos support that. Though,
I have searched our forest for a SPN with HTTP and port and did not find one. We have more
than 20 realms with thousands of hosts. The only port-related SPNs were for SQL Server. I
can try that with a standalone client against SQL Server and will add this alter as a runtime
parameter.

Regarding your suggestion. Deciding about preemption is not the task of the authenticator
but solely of the client. What server does not keep state? At least my SPNEGO authenticator
for Tomcat does not do that but this has nothing to do with connection state. My impl works
flawlessly with MIT Kerberos, JGSS and SSPI.

Currently, I have a bigger problem doing things right because HttpClient assumes every auth
scheme being a challenge/response mech which Kerberos isn't. It's the opposite. You can follow
the discussion [here](http://www.mail-archive.com/dev@hc.apache.org/msg14632.html) and you
may have some helping ideas.

> Completely overhaul GSS-API-based authentication backend
> --------------------------------------------------------
>
>                 Key: HTTPCLIENT-1625
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1625
>             Project: HttpComponents HttpClient
>          Issue Type: Task
>          Components: Documentation, HttpAuth, HttpClient
>    Affects Versions: 4.5 Alpha1
>            Reporter: Michael Osipov
>            Assignee: Michael Osipov
>             Fix For: 4.5 Alpha1
>
>
> The current implementation does not reflect the way GSS-API-based authentication should
be done. It has several design flaws.
> This is an umbrella task for:
> 1. Deprecate all old classes
> 2. Investigate how it has to be plugged into HttpClient
> 3. Reimplement from scratch
> 4. Thoroughly test all new stuff
> 5. Rewrite documentation
> Design notes are canonically available under: https://wiki.apache.org/HttpComponents/IssueTracking/HTTPCLIENT-1625



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message