hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ulrich Colby (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HTTPCLIENT-1873) Kerberos delegation no longer working after HTTPCLIENT-1736 patch in version 4.5.3
Date Fri, 29 Sep 2017 14:30:01 GMT
Ulrich Colby created HTTPCLIENT-1873:
----------------------------------------

             Summary: Kerberos delegation no longer working after HTTPCLIENT-1736 patch in
version 4.5.3
                 Key: HTTPCLIENT-1873
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1873
             Project: HttpComponents HttpClient
          Issue Type: Bug
          Components: HttpClient (classic)
    Affects Versions: 4.5.3, 4.5.4
         Environment: Windows,Linux
            Reporter: Ulrich Colby
            Priority: Minor
             Fix For: 4.5.2


In version 4.5.3, the following fix got applied to the httpclient library:

_ [HTTPCLIENT-1736] do not request cred delegation by default when using Kerberos auth.
  Contributed by Oleg Kalnichevski <olegk at apache.org>_

Although it says "by default", when looking at the affected code it's not the case.  From
our tests and my understanding, if a user account is not allowed to be delegated in a chain,
you can still request delegation when creating the user token, it'll simply not be applied.

In the class "GSSSchemeBase", in the method "createGSSContext", we need the following line
added back:

*gssContext.requestCredDeleg(true);*

**OR**

If you insist of leaving it off for a reason I'm not aware of, having a way, maybe through
a system property, to say that we want it.

_This here is just my opinion, but one of the main reason for using Kerberos in an enterprise
environment is to be able to make use of delegation (double hop scenarios)._



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message