Return-Path: Delivered-To: apmail-hc-httpclient-users-archive@www.apache.org Received: (qmail 8949 invoked from network); 11 Dec 2009 21:45:42 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 11 Dec 2009 21:45:42 -0000 Received: (qmail 77908 invoked by uid 500); 11 Dec 2009 21:45:41 -0000 Delivered-To: apmail-hc-httpclient-users-archive@hc.apache.org Received: (qmail 77840 invoked by uid 500); 11 Dec 2009 21:45:41 -0000 Mailing-List: contact httpclient-users-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpClient User Discussion" Delivered-To: mailing list httpclient-users@hc.apache.org Received: (qmail 77830 invoked by uid 99); 11 Dec 2009 21:45:41 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Dec 2009 21:45:41 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of sebster@sebster.com designates 193.46.80.82 as permitted sender) Received: from [193.46.80.82] (HELO mail.sebster.com) (193.46.80.82) by apache.org (qpsmtpd/0.29) with SMTP; Fri, 11 Dec 2009 21:45:31 +0000 Received: (qmail 79360 invoked from network); 11 Dec 2009 19:44:02 -0000 Received: from unknown (HELO ?10.0.99.150?) (10.0.99.150) by 10.0.98.3 with SMTP; 11 Dec 2009 19:44:02 -0000 Message-ID: <4B22BD65.5060900@sebster.com> Date: Fri, 11 Dec 2009 22:45:09 +0100 From: Sebastiaan van Erk User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: HttpClient User Discussion Subject: Re: Kerberos proxy authentication issue References: <4B224ADE.6010800@sebster.com> <4B2278F9.40900@apache.org> <4B22A826.5050600@sebster.com> <4B22A8F6.4060905@apache.org> In-Reply-To: <4B22A8F6.4060905@apache.org> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms040901020206040609050604" X-Virus-Checked: Checked by ClamAV on apache.org --------------ms040901020206040609050604 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Oleg Kalnichevski wrote: > Sebastiaan van Erk wrote: >> Hi Oleg, >> >> Thanks for your reply. >> >> There's a good chance I'm going to have to get this working, even if it >> means I'm going to have to delve into this myself. I'll contact the >> original developer and see if he sees anything obvious, but in any case, >> if I succeed in getting it working, I will happily contribute the >> patches. >> >> Best regards, >> Sebastiaan >> > > Hi Sebastiaan > > Cool. In my turn I will happily help with HttpClient specific stuff. Hi Oleg, I got the proxy authentication working already. I even tested it when both proxy auth and http auth are required and it works. There is just one small issue: I need the proxy host name to generate the kerberos service name (HTTP/proxyhost@REALM). The current NegotiateScheme code doesn't handle proxy auth at all and always uses the target host name which it retrieves from the Host header (is that the best way to get the target host?): if (isStripPort()) { init((request.getLastHeader("Host")).getValue().replaceAll(":[0-9]+$", "") ); } else { init( (request.getLastHeader("Host")).getValue()); } I changed the NegotiateScheme to extend AuthSchemeBase (like NTLMScheme). Now I have access to the isProxy() method and can add the correct header (Proxy-Authorization or Authorization). However, to determine the hostname I currently have this: String host; if (isProxy()) { // FIXME this should actually be determined by the route planner? HttpHost proxy = ConnRouteParams.getDefaultProxy(request.getParams()); host = proxy.getHostName(); } else { host = request.getLastHeader("Host").getValue(); } if (isStripPort()) { host = host.replaceAll(":[0-9]+$", ""); } init(host); I noticed a few frames up in DefaultRequestDirector.handleResponse the actual proxy host is known: if (this.proxyAuthHandler.isAuthenticationRequested(response, context)) { HttpHost proxy = route.getProxyHost(); this.log.debug("Proxy requested authentication"); Map challenges = this.proxyAuthHandler.getChallenges(response, context); try { processChallenges(challenges, this.proxyAuthState, this.proxyAuthHandler, response, context); } catch (AuthenticationException ex) { ... But this information is not available to me at the FIXME location. I'm also ignoring any forced route now, but it seems wrong to copy paste the code from DefaultHttpRoutePlanner anyway, especially since that's just the default implementation anyhow and could be overridden. Next thing I'll look into is why the redirect fails. Regards, Sebastiaan > Cheers > > Oleg > >> >> Oleg Kalnichevski wrote: >>> Sebastiaan van Erk wrote: >>>> Hi, >>>> >>>> I'm not sure it's supported yet in httpclient-4.1-alpha1, but >>>> continuing on my kerberos quest, I was trying the next phase: >>>> kerberos proxy authentication. >>>> >>>> This time I'm requesting a public url from the target server via a >>>> kerberos protected squid proxy. Again I tested this with firefox, >>>> and it works fine. (The final phase, kerberos proxy AND kerberos >>>> server, also works with firefox). >>>> >>>> However, when I add the following two lines to the Kerberos http >>>> client example: >>>> >>>> HttpHost proxy = new HttpHost("tunnelproxy.servoy.com", 3128); >>>> httpclient.getParams().setParameter(ConnRoutePNames.DEFAULT_PROXY, >>>> proxy); >>>> >>>> The proxy authentication fails. It tries to authenticate to the >>>> service for the target web server instead of for the proxy service, >>>> that is, I get the following entry in my kdc.log: >>>> >>>> 2009-12-11T14:22:12 TGS-REQ testuser@SERVOY.COM from >>>> IPv4:85.147.225.232 for HTTP/tunneltest.servoy.com@SERVOY.COM >>>> >>>> But for the proxy service you need a ticket to >>>> HTTP/tunnelproxy.servoy.com@SERVOY.COM. >>>> >>>> Is this a setup issue on my side, or is Kerberos proxy auth not yet >>>> supported, or is this a bug? >>>> >>>> Again I included the wirelog for further details. >>>> >>>> Best regards, >>>> Sebastiaan >>>> >>> >>> Sebastiaan >>> >>> I have some bad news for you. I suspect none of the actual HttpClient >>> committers might be able to help you with Kerberos related problems. >>> I, for one, have neither time nor inclination to dive into the >>> subject. Kerberos code is fully based on user contributions. You may >>> want to get in touch directly with the contributor of SPNEGO auth >>> scheme [1] and _very politely_ ask him for help. I will happily >>> review and commit patches, but my personal involvement will stop there. >>> >>> Oleg >>> >>> [1] http://issues.apache.org/jira/browse/HTTPCLIENT-523 >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org >>> For additional commands, e-mail: httpclient-users-help@hc.apache.org >>> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org > For additional commands, e-mail: httpclient-users-help@hc.apache.org > --------------ms040901020206040609050604 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJUTCC AwMwggJsoAMCAQICEGLYTbNs7ILV8FjWe4hYppAwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDcwMTA1MjIxMVoX DTEwMDcwMTA1MjIxMVowaDEQMA4GA1UEBBMHdmFuIEVyazETMBEGA1UEKhMKU2ViYXN0aWFh bjEbMBkGA1UEAxMSU2ViYXN0aWFhbiB2YW4gRXJrMSIwIAYJKoZIhvcNAQkBFhNzZWJzdGVy QHNlYnN0ZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxnkA/HlKscOk 7wNt76nwOKIIsm3qlgX3Sf3jNOl+gVBi4Fq3n5BfDR0FBj4pbiQT+Q9s2oTJcoX3/AdZuNga UH/6+dhcyD2kxgvVK8WK41WG9WyzPkfw4M2g3e51NrEsGC+H+eMbbvlrzvPa/asUwqERy60u 6XIlj5kwO/QxHx2iJpgUFtkOYr1BSkP0FC/Qe8VbF7Fi1fu3I5Rk/+9j49OM/IBMbmEkKFoD /e8KgyhCgREAv08/yntwHRos5m6AK27zR+4dTsbb/B8fCjRT8tttCvbo1C/UiuM7u/YcfY0d 8mLp+dRI7xpHl/9Fp86q31OmAfwD1tw9UYL1DnIbHwIDAQABozAwLjAeBgNVHREEFzAVgRNz ZWJzdGVyQHNlYnN0ZXIuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAw63Z 9kpNbme1LCtCeAvXVM8oTGJy0L85qtbO5DUBxjmBTBMSe1Kbn160wibMP++Cv1p/PwCumRbe XjJSI3HclQasaF8FpDWtRQlHFj/w/3Q2GsBpoHxSOENjY/+jgtDTOnX5+0lPHaN/iQTAdW8+ rm0P+FIKeYRpdOjFsIoeudYwggMDMIICbKADAgECAhBi2E2zbOyC1fBY1nuIWKaQMA0GCSqG SIb3DQEBBQUAMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QTAeFw0wOTA3MDEwNTIyMTFaFw0xMDA3MDEwNTIyMTFaMGgxEDAOBgNVBAQTB3ZhbiBFcmsx EzARBgNVBCoTClNlYmFzdGlhYW4xGzAZBgNVBAMTElNlYmFzdGlhYW4gdmFuIEVyazEiMCAG CSqGSIb3DQEJARYTc2Vic3RlckBzZWJzdGVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAMZ5APx5SrHDpO8Dbe+p8DiiCLJt6pYF90n94zTpfoFQYuBat5+QXw0dBQY+ KW4kE/kPbNqEyXKF9/wHWbjYGlB/+vnYXMg9pMYL1SvFiuNVhvVssz5H8ODNoN3udTaxLBgv h/njG275a87z2v2rFMKhEcutLulyJY+ZMDv0MR8doiaYFBbZDmK9QUpD9BQv0HvFWxexYtX7 tyOUZP/vY+PTjPyATG5hJChaA/3vCoMoQoERAL9PP8p7cB0aLOZugCtu80fuHU7G2/wfHwo0 U/LbbQr26NQv1IrjO7v2HH2NHfJi6fnUSO8aR5f/RafOqt9TpgH8A9bcPVGC9Q5yGx8CAwEA AaMwMC4wHgYDVR0RBBcwFYETc2Vic3RlckBzZWJzdGVyLmNvbTAMBgNVHRMBAf8EAjAAMA0G CSqGSIb3DQEBBQUAA4GBAMOt2fZKTW5ntSwrQngL11TPKExictC/OarWzuQ1AcY5gUwTEntS m59etMImzD/vgr9afz8ArpkW3l4yUiNx3JUGrGhfBaQ1rUUJRxY/8P90NhrAaaB8UjhDY2P/ o4LQ0zp1+ftJTx2jf4kEwHVvPq5tD/hSCnmEaXToxbCKHrnWMIIDPzCCAqigAwIBAgIBDTAN BgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTES MBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UE CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBl cnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0 aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMC WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAK MNcCY1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTX p6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYB Af8CAQAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBl cnNvbmFsRnJlZW1haWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYD VQQDExFQcml2YXRlTGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2as Zw9/r6y+whehQ5aUnX9MIbj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSe JVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHT HUb/XV9lTzGCA3EwggNtAgEBMHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBD b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp bCBJc3N1aW5nIENBAhBi2E2zbOyC1fBY1nuIWKaQMAkGBSsOAwIaBQCgggHQMBgGCSqGSIb3 DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA5MTIxMTIxNDUwOVowIwYJKoZI hvcNAQkEMRYEFOxFefQQu3AmZxQWA8uKPsHpWeMMMF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZI AWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUr DgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYDVQQGEwJaQTEl MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEGLYTbNs7ILV8FjWe4hYppAwgYcGCyqG SIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp bmcgQ0ECEGLYTbNs7ILV8FjWe4hYppAwDQYJKoZIhvcNAQEBBQAEggEAvE/XQIYXoJw+P5jh /z3owC0h1CswpStI2VjeQaMW9O8NM/acoAHKZwNGJQFn+vwT8exMEJUvy8TYr+qEMWQ1Emuw atG8PdSojuViDpvKLGvGV2f9uCYeCCZotWYSbozqWplu1HbIc2kQVr2IFUNEqVqTwf0L8F7v XH0n9Dg1JKgEz3dQ1j5o+MuOYYTeR8NyhU17UcqR8lZRDU/uQLgfaCftMeJtYdfyAAXk9g7+ na+r7Wgkb27U7+LcBgPOwk9nYu5aQ54T0axruzh+3/cWuQMaeXZj90tb5TP+BZc9q2aUmrtf O1z7SyNGw2HWf1i2ZvJQLU0/Lvs0tIP3LucxqAAAAAAAAA== --------------ms040901020206040609050604--