hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: SPNEGO authentication not working with IBM JRE 1.6
Date Tue, 08 Jan 2013 10:47:43 GMT
On Mon, 2013-01-07 at 17:10 -0500, Heather Sterling wrote:
> 
> Hi,
> 
> I am unable to get the HttpClient to work with SPNEGO authentication using
> the IBM JRE.  I have successfully gotten it to work with the Oracle JRE and
> the login.conf file that is recommended for Oracle, so I know that my
> configuration and test code is generally working.  My test code is a
> modification of the ClientKerberosAuthentication example.
> 
> Is the IBM JRE supported for SPNEGO authentication or is this a known
> limitation?  Is my login.conf file incorrect for the IBM JRE?  I've tried
> multiple permutations and encounter the same error each time.
> 
> Configuration:
> 
> Client: Windows 2008 R2 64-bit / HttpComponents 4.2.2
> Server: Windows 2008 R2 w/ Websphere Application Server 8.5 64-bit
> Active Directory: Windows 2008 R2 64-bit
> JRE: 1.6.0 Java(TM) SE Runtime Environment (build pwa6460sr11-20120806_01
> (SR11))
> 
> Error:
> 
> I get the following error when attempting to connect.  This seems to imply
> that my com.ibm.security.jgss.initiate setting is incorrect and that I
> cannot obtain the proper credentials to send to the server in its response
> for the negotiate header.  I have all of the debug on and this is all I
> get.
> 
> Jan 7, 2013 4:10:37 PM
> org.apache.http.client.protocol.RequestAuthenticationBase process
> WARNING: NEGOTIATE authentication error: No valid credentials provided
> (Mechanism level: No valid credentials provided (Mechanism level: Attempt
> to obtain new INITIATE credentials failed! (null)))
> 
> IBM login.conf:
>  com.ibm.security.jgss.login {
>     com.ibm.security.auth.module.Krb5LoginModule required
> useDefaultCcache=true debug=true;
>  };
> 
>  com.ibm.security.jgss.initiate {
>     com.ibm.security.auth.module.Krb5LoginModule required
> useDefaultCcache=true debug=true;
>  };
> 
>  com.ibm.security.jgss.accept {
>     com.ibm.security.auth.module.Krb5LoginModule required
> useDefaultCcache=true debug=true;
>  };
> 
> 
> Heather Sterling
> Rational Jazz Development
> Phone:  919-254-7163 T/L: 444-7163
> Cell: 919-423-3143
> Email: hsterl@us.ibm.com

Heather,

Kerberos and SPNego authentication support in HttpClient is based
entirely on contributions of external contributors. We have no means of
testing it against various commercial products or different JREs. In
fact we have almost zero test coverage for Kerberos and SPNego code and
we mostly rely on our users' feedback to find out what works and what
does not. As far as IBM WebSphere products are concerned I am not aware
of anyone having conducted compatibility tests. We do not specifically
test HttpClient for compatibility with IBM JRE. This is the area where
our corporate users might make valuable contributions to the project.

Oleg


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message