Moving to dev@ as it's more of a dev@ discussion. On Monday 15 November 2010 10:26:44 am Schneider Christian wrote: > Hi all, > > I am currently working on https://issues.apache.org/jira/browse/CXF-3123 > (Support Spnego/Kerberos authentication for http transport). My first > attempt was to use implement an AuthSupplier for this case. I thought > AuthSupplier acts as a kind of strategy to implement auth support. > > When I digged into the code I found that this is not really true. > AuthSupplier seems to be used only in some cases and much other decisions > are done in setHeadersByAuthorizationPolicy, setBasicAuthHeader, > setProxyBasicAuthHeader, authorizationRetransmit. So it would be not so > easy to add another authentication mechanism. > > To clean this up I propose to refactor to a strategy based implementation > with 3 currently strategies: > > - BasicAuthStrategy > - DigestAuthStrategy > - SpnegoAuthStrategy > > The conduit should do no detailed authentication handling at all.
Sure. That works for me. Originally, it just supported the BasicAuth stuff internally with the AuthSupplier there to extend it. When the Digest stuff was added, we added it as an AuthSupplier, but never really pulled the BasicAuth stuff out. > Instead > it should delegate to the strategy to be used and let it do what is > needed. Another problem is then of course how to choose the strategy to be > used. Well, I guess here would be my "requirements": 1) "Out of the box", basic auth needs to "just work". If the user sets the username and password and nothing is configured in, the basic auth stuff should automatically turn on preemptively. 2) Streaming - related to (1), when the username/password is set with basic auth, it cannot break streaming. 3) If the other auth mechanisms support streaming, we should keep it enabled. However, some of them don't allow for the streaming. 4) Obviously, if something IS configured in, that should just work as well. :-) > We could do it upfront and then only give the conduit one strategy > or we could do it later and give the conduit a strategy that decides for > each case which real stratgy to use. The streaming requirement kind of removes the second option. Once we get the 401 back, the streaming is stopped and the original message is gone. If the user specifically turns off streaming, OK, we can do something smart. Dan > > Any ideas / opinions about this are very much welcome. > > Best regards > > Christian > > Christian Schneider > Informationsverarbeitung > Business Solutions > Handel und Dispatching > > Tel : +49-(0)721-63-15482 > > EnBW Systeme Infrastruktur Support GmbH > Sitz der Gesellschaft: Karlsruhe > Handelsregister: Amtsgericht Mannheim ‑ HRB 108550 > Vorsitzender des Aufsichtsrats: Dr. Bernhard Beck > Geschäftsführer: Jochen Adenau, Hans-Günther Meier -- Daniel Kulp [email protected] http://dankulp.com/blog
