hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From K Fung <kfung4...@gmail.com>
Subject Re: Specifying the correct SPN via WinHttpClients in HttpClient 4.4
Date Sun, 17 Aug 2014 06:19:51 GMT
Hi Malcolm,

I took a look at the code today and found way to automatically
construct the SPN without it being explicitly passed in. Before I
submit the patch though, I was hoping you can provide some feedback on
the calls to getToken:

response = getToken(null, null, this.servicePrincipalName != null ?
this.servicePrincipalName : username);

response = getToken(this.sppicontext, continueTokenBuffer,
this.servicePrincipalName != null ? this.servicePrincipalName :

In the first call, username is used but in the second, localhost is
used. Do you know why they're different? The docs state that
pszTargetName should point to a SPN or security context of the
destination server [1].

Right now, I'm inclined to replace the default values with my
calculated HTTP/<hostname> value. Users can always explicitly provide
their own default by explicitly creating the appropriate scheme

What do you think?


[1] http://msdn.microsoft.com/en-us/library/windows/desktop/aa375509(v=vs.85).aspx

On Thu, Aug 14, 2014 at 10:56 AM, K Fung <kfung4cxf@gmail.com> wrote:
> Hi Malcolm,
> If you take a look at the default WinHttpClient[1], specifically the
> createBuilder() function, you'll see that null is always being
> provided as the principle name. I was hoping there would be a way to
> automatically inject HTTP/<hostname>. I planned to examine how this
> could be made possible :-)
> Currently, in our own code code, we are creating an specific client
> with a specific auth scheme and specifically filling in the correct
> SPN for the request.
> Regards,
> kl
> [1] https://fisheye6.atlassian.com/browse/httpcomponents/httpclient/trunk/httpclient-win/src/main/java/org/apache/http/impl/client/WinHttpClients.java?r=1602401
> On Thu, Aug 14, 2014 at 9:37 AM, Malcolm Smith
> <malcolm_smith@standardlife.com> wrote:
>> Hi Ka-Lok,
>> I¹m wondering what you expect the out of the box behaviour to be here? The
>> service principal needs to be specified by the client, so there is no
>> valid default.
>> I submitted the original patch to enable the SPN to be specified, and
>> wrote the SO response you linked to. Are you just looking to provide a
>> simpler way of injecting the SPN into the WindowsNegotiateSchemeFactory?
>> Admittedly it is slightly clunky having to construct an anonymous class,
>> but I couldn¹t find a simpler way of injecting the SPN into the
>> WindowsNegotiateSchemeFactory.
>> Regards,
>> Malcolm.
>> On 13/08/2014 22:14, "K Fung" <kfung4cxf@gmail.com> wrote:
>>>If we use WinHttpClients as, HTTP Negotiate authentication won't work
>>>because the ticket being generated always uses 'null' service
>>>principle name (SPN). Can this be filed as a bug?
>>>According to the informational RFC 4559
>>>(http://www.rfc-editor.org/rfc/rfc4559.txt), the service principle
>>>name (SPN) should be in the following form: HTTP/hostname.
>>>Of course, we can work around it ourselves if we did something similar
>>>to http://stackoverflow.com/a/22865583 but it would be great if the
>>>sample code works out of the box :-)
>>>To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>>>For additional commands, e-mail: httpclient-users-help@hc.apache.org
>> Confidentiality - This email is confidential.
>> Not meant for you? - If you don't think this email is meant for you, please let us
know. Do not copy or forward the information it contains, and delete this email from your
>> Views expressed - Any personal views or opinions expressed in this email are the
sender's, and do not necessarily reflect the views of Standard Life group.
>> Monitoring - We filter and monitor emails to protect our systems and to keep them
running smoothly.
>> Emailing us - Email isn't a secure form of communication. If you want to send us
confidential information please send it by post. However, if you do communicate with us by
email on any subject, you are giving us permission to email you back.
>> Phoning us - Calls may be monitored and/or recorded to protect both you and us and
help with our training. Call charges will vary.
>> Standard Life group - Standard Life group comprises Standard Life plc and its subsidiaries.
For more information on Standard Life group visit our website http://www.standardlife.com/.
>> Standard Life plc (SC286832), Standard Life Assurance Limited (SC286833) and Standard
Life Employee Services Limited (SC271355) are all registered in Scotland at Standard Life
House, 30 Lothian Road, Edinburgh EH1 2DH. Standard Life Assurance Limited is authorised by
the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the
Prudential Regulation Authority.
>> For more information on Standard Life Assurance limited visit our website http://www.standardlife.co.uk
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>> For additional commands, e-mail: httpclient-users-help@hc.apache.org

To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

View raw message