hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Malcolm Smith <malcolm_sm...@standardlife.com>
Subject Re: Specifying the correct SPN via WinHttpClients in HttpClient 4.4
Date Wed, 27 Aug 2014 12:39:59 GMT
Hi Ka-Lok,

Sorry, I missed your mail. I agree. Based on my (fairly limited)
understanding, for the Kerberos handshake to succeed the SPN must be
passed into the getToken method call. The original code was contributed by
Ryan McKinley based on code from the waffle project, so I’m not sure what
the reasoning behind defaulting to the username in first scenario was and
I can’t see using ‘localhost’ ever being correct. The new code you
contributed looks great, much improved SPN handling. I’ll alter that SO
answer once 4.4 is out.


On 17/08/2014 07:19, "K Fung" <kfung4cxf@gmail.com> wrote:

>Hi Malcolm,
>I took a look at the code today and found way to automatically
>construct the SPN without it being explicitly passed in. Before I
>submit the patch though, I was hoping you can provide some feedback on
>the calls to getToken:
>response = getToken(null, null, this.servicePrincipalName != null ?
>this.servicePrincipalName : username);
>response = getToken(this.sppicontext, continueTokenBuffer,
>this.servicePrincipalName != null ? this.servicePrincipalName :
>In the first call, username is used but in the second, localhost is
>used. Do you know why they're different? The docs state that
>pszTargetName should point to a SPN or security context of the
>destination server [1].
>Right now, I'm inclined to replace the default values with my
>calculated HTTP/<hostname> value. Users can always explicitly provide
>their own default by explicitly creating the appropriate scheme
>What do you think?
>On Thu, Aug 14, 2014 at 10:56 AM, K Fung <kfung4cxf@gmail.com> wrote:
>> Hi Malcolm,
>> If you take a look at the default WinHttpClient[1], specifically the
>> createBuilder() function, you'll see that null is always being
>> provided as the principle name. I was hoping there would be a way to
>> automatically inject HTTP/<hostname>. I planned to examine how this
>> could be made possible :-)
>> Currently, in our own code code, we are creating an specific client
>> with a specific auth scheme and specifically filling in the correct
>> SPN for the request.
>> Regards,
>> kl
>> [1]
>> On Thu, Aug 14, 2014 at 9:37 AM, Malcolm Smith
>> <malcolm_smith@standardlife.com> wrote:
>>> Hi Ka-Lok,
>>> I¹m wondering what you expect the out of the box behaviour to be here?
>>> service principal needs to be specified by the client, so there is no
>>> valid default.
>>> I submitted the original patch to enable the SPN to be specified, and
>>> wrote the SO response you linked to. Are you just looking to provide a
>>> simpler way of injecting the SPN into the
>>> Admittedly it is slightly clunky having to construct an anonymous
>>> but I couldn¹t find a simpler way of injecting the SPN into the
>>> WindowsNegotiateSchemeFactory.
>>> Regards,
>>> Malcolm.
>>> On 13/08/2014 22:14, "K Fung" <kfung4cxf@gmail.com> wrote:
>>>>If we use WinHttpClients as, HTTP Negotiate authentication won't work
>>>>because the ticket being generated always uses 'null' service
>>>>principle name (SPN). Can this be filed as a bug?
>>>>According to the informational RFC 4559
>>>>(http://www.rfc-editor.org/rfc/rfc4559.txt), the service principle
>>>>name (SPN) should be in the following form: HTTP/hostname.
>>>>Of course, we can work around it ourselves if we did something similar
>>>>to http://stackoverflow.com/a/22865583 but it would be great if the
>>>>sample code works out of the box :-)
>>>>To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>>>>For additional commands, e-mail: httpclient-users-help@hc.apache.org
>>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>For additional commands, e-mail: httpclient-users-help@hc.apache.org

Confidentiality - This email is confidential.
Not meant for you? - If you don't think this email is meant for you, please let us know. Do
not copy or forward the information it contains, and delete this email from your system.
Views expressed - Any personal views or opinions expressed in this email are the sender's,
and do not necessarily reflect the views of Standard Life group.
Monitoring - We filter and monitor emails to protect our systems and to keep them running
Emailing us - Email isn't a secure form of communication. If you want to send us confidential
information please send it by post. However, if you do communicate with us by email on any
subject, you are giving us permission to email you back.
Phoning us - Calls may be monitored and/or recorded to protect both you and us and help with
our training. Call charges will vary.
Standard Life group - Standard Life group comprises Standard Life plc and its subsidiaries.
For more information on Standard Life group visit our website http://www.standardlife.com/.
Standard Life plc (SC286832), Standard Life Assurance Limited (SC286833) and Standard Life
Employee Services Limited (SC271355) are all registered in Scotland at Standard Life House,
30 Lothian Road, Edinburgh EH1 2DH. Standard Life Assurance Limited is authorised by the Prudential
Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation
For more information on Standard Life Assurance limited visit our website http://www.standardlife.co.uk
View raw message