Return-Path: X-Original-To: apmail-hc-httpclient-users-archive@www.apache.org Delivered-To: apmail-hc-httpclient-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0DF3311543 for ; Thu, 4 Sep 2014 14:12:07 +0000 (UTC) Received: (qmail 90589 invoked by uid 500); 4 Sep 2014 14:12:06 -0000 Delivered-To: apmail-hc-httpclient-users-archive@hc.apache.org Received: (qmail 90546 invoked by uid 500); 4 Sep 2014 14:12:06 -0000 Mailing-List: contact httpclient-users-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpClient User Discussion" Delivered-To: mailing list httpclient-users@hc.apache.org Received: (qmail 90535 invoked by uid 99); 4 Sep 2014 14:12:06 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 04 Sep 2014 14:12:06 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [5.148.180.21] (HELO kalnich2.nine.ch) (5.148.180.21) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 04 Sep 2014 14:12:01 +0000 Received: from [192.168.42.18] (unknown [213.55.184.227]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by kalnich2.nine.ch (Postfix) with ESMTPSA id 6A0531602DE for ; Thu, 4 Sep 2014 14:11:36 +0000 (UTC) Message-ID: <1409839896.1302.4.camel@ubuntu> Subject: Re: Using GSSCredential directly for Kerberos authentication From: Oleg Kalnichevski To: HttpClient User Discussion Date: Thu, 04 Sep 2014 16:11:36 +0200 In-Reply-To: References: <1409758597.19858.6.camel@ubuntu> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On Thu, 2014-09-04 at 19:23 +0530, Vipul Mehta wrote: > Here is my patch merged in a forked trunk branch : > https://github.com/xeronix/httpclient/commit/8f88ec4c58a3d0a72e25af43809698aaf1ccf193 > > I have tested the patch over 4.3.5 source code and it works fine. > NegotiateScheme class has been deprecated since 4.2. Could you please re-apply your changes to non-deprecated classes instead? Please also note we will not be able to include this patch into 4.3.x branch. It can only go into trunk and therefore it should compile against trunk and all tests should still pass. Oleg > With jar build from Trunk branch i am getting some exception which is not > related to the patch: > Exception in thread "main" java.lang.NoSuchMethodError: > org.apache.http.impl.conn.CPool.setValidateAfterInactivity(I)V > at > org.apache.http.impl.conn.PoolingHttpClientConnectionManager.(PoolingHttpClientConnectionManager.java:176) > at > org.apache.http.impl.conn.PoolingHttpClientConnectionManager.(PoolingHttpClientConnectionManager.java:158) > at > org.apache.http.impl.client.HttpClientBuilder.build(HttpClientBuilder.java:838) > > Snippet to set GSSCredential for SPNEGO-KERBEROS Authentication : > //gssCredential is the GSSCredential Object > KerberosCredentials kerebrosCredential = new > KerberosCredentials(gssCredential); > > CredentialsProvider credsProvider = new BasicCredentialsProvider(); > credsProvider.setCredentials(new AuthScope(null, -1, null), > kerebrosCredential); > > Registry authSchemeRegistry = RegistryBuilder > . create().register(AuthSchemes.SPNEGO, > new SPNegoSchemeFactory()).build(); > > //Use this authSchemeRegistry for HttpClient. > > > > On Wed, Sep 3, 2014 at 9:06 PM, Oleg Kalnichevski wrote: > > > On Wed, 2014-09-03 at 14:40 +0530, Vipul Mehta wrote: > > > Hi, > > > > > > In my scenario i am getting delegated GSSCredential of a user from some > > > other client and i want to use it to create context and authenticate with > > > windows ADFS. > > > > > > The createContext call in > > > *org.apache.http.impl.auth.GGSSchemeBase.generateGSSToken()* relies on > > JAAS > > > configuration for getting credentials and hence null is passed to it in > > > credential field. > > > > > > protected byte[] generateGSSToken( > > > > final byte[] input, final Oid oid, final String authServer) > > > > throws GSSException { > > > > byte[] token = input; > > > > if (token == null) { > > > > token = new byte[0]; > > > > } > > > > final GSSManager manager = getManager(); > > > > final GSSName serverName = manager.createName("HTTP@" + > > > > authServer, GSSName.NT_HOSTBASED_SERVICE); > > > > > > > > * final GSSContext gssContext = manager.createContext( > > > > serverName.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME);* > > > > gssContext.requestMutualAuth(true); > > > > gssContext.requestCredDeleg(true); > > > > return gssContext.initSecContext(token, 0, token.length); > > > > } > > > > > > > > > > I want to pass the GSSCredential in this createContext call. Is there any > > > way i can achieve it without changing httpclient code ? > > > > > > > > > > No, there is not. However, I'll happily commit a patch fixing the > > problem if you feel like contributing one. > > > > Oleg > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org > > For additional commands, e-mail: httpclient-users-help@hc.apache.org > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org For additional commands, e-mail: httpclient-users-help@hc.apache.org