[jira] [Commented] (HADOOP-10911) hadoop.auth cookie after HADOOP-10710 still not proper according to RFC2109

Wed, 30 Jul 2014 17:42:17 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14080313#comment-14080313
 ] 

Gregory Chanan commented on HADOOP-10911:
-----------------------------------------

bq. on the quotes, we had them, they got removed, that broke things, we added 
again. They don't do any harm if they are there.

It's a little more complicated -- HADOOP-10379 made multiple changes like 
removing the quotes and the Version field.  So it was the combination of 
changes that broke things, not specifically removing the quotes.

bq. On Max-Age & Expired, i don't think we want to break old browsers. It seems 
to me an HttpClient bug that uses the presence of Expire to go back to old 
cookie format, the precense of Version=1 should trump. Can you dig on 
HttpClient side?

Seems reasonable, I'll dig.

> hadoop.auth cookie after HADOOP-10710 still not proper according to RFC2109
> ---------------------------------------------------------------------------
>
>                 Key: HADOOP-10911
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10911
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.5.0
>            Reporter: Gregory Chanan
>         Attachments: HADOOP-10911.patch
>
>
> I'm seeing the same problem reported in HADOOP-10710 (that is, httpclient is 
> unable to authenticate with servers running the authentication filter), even 
> with HADOOP-10710 applied.
> From my reading of the spec, the problem is as follows:
> Expires is not a valid directive according to the RFC, though it is mentioned 
> for backwards compatibility with netscape draft spec.  When httpclient sees 
> "Expires", it parses according to the netscape draft spec, but note from 
> RFC2109:
> {code}
> Note that the Expires date format contains embedded spaces, and that "old" 
> cookies did not have quotes around values. 
> {code}
> and note that AuthenticationFilter puts quotes around the value:
> https://github.com/apache/hadoop-common/blob/6b11bff94ebf7d99b3a9e513edd813cb82538400/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java#L437-L439
> So httpclient's parsing appears to be kosher.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to