[
https://issues.apache.org/jira/browse/HADOOP-10911?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gregory Chanan updated HADOOP-10911:
------------------------------------
Attachment: HADOOP-10911v2.patch
bq. On Max-Age & Expired, i don't think we want to break old browsers. It seems
to me an HttpClient bug that uses the presence of Expire to go back to old
cookie format, the precense of Version=1 should trump. Can you dig on
HttpClient side?
This is a bit complicated -- see the discussion here:
http://mail-archives.apache.org/mod_mbox/hc-httpclient-users/201408.mbox/%3C1406895602.17749.8.camel%40ubuntu%3E
In short, it's not a valid Version=1 cookie, but httpclient would like to be
able to handle it anyway, see HTTPCLIENT-1546.
I added a patch that does the following:
1) Runs the TestKerberosAuthenticator test cases against Tomcat as well as
Jetty, this exposes the bug in HADOOP-10379, which didn't get a test added in
HADOOP-10710
2) Adds an httpclient test case to TestKerberosAuthenticator. This does 2
things:
- Checks that the cookie is actually being processed. Note that it's possible
for the existing tests to pass by doing the SPNego negotiation on each request,
rather than relying on the cookie. But the entity type we use in the test
doesn't support repeating, so an exception is raised if the SPNego process
repeats
- Verifies that httpclient works with our cookie format (probably not strictly
necessary, but nice to have given httpclient's popularity)
So, I think the the test cases are pretty useful for catching regressions.
As for the format itself, I just chose a simple format that passes all the
tests. That seems like a reasonable improvement over what we have now, but I'm
not married to the particular format.
> hadoop.auth cookie after HADOOP-10710 still not proper according to RFC2109
> ---------------------------------------------------------------------------
>
> Key: HADOOP-10911
> URL: https://issues.apache.org/jira/browse/HADOOP-10911
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.5.0
> Reporter: Gregory Chanan
> Attachments: HADOOP-10911-tests.patch, HADOOP-10911.patch,
> HADOOP-10911v2.patch
>
>
> I'm seeing the same problem reported in HADOOP-10710 (that is, httpclient is
> unable to authenticate with servers running the authentication filter), even
> with HADOOP-10710 applied.
> From my reading of the spec, the problem is as follows:
> Expires is not a valid directive according to the RFC, though it is mentioned
> for backwards compatibility with netscape draft spec. When httpclient sees
> "Expires", it parses according to the netscape draft spec, but note from
> RFC2109:
> {code}
> Note that the Expires date format contains embedded spaces, and that "old"
> cookies did not have quotes around values.
> {code}
> and note that AuthenticationFilter puts quotes around the value:
> https://github.com/apache/hadoop-common/blob/6b11bff94ebf7d99b3a9e513edd813cb82538400/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java#L437-L439
> So httpclient's parsing appears to be kosher.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
