Re: Progress of HTTPCLIENT-1625/open questions

Mon, 06 Apr 2015 13:16:37 -0700 

Am 2015-04-06 um 18:12 schrieb Oleg Kalnichevski:

On Mon, 2015-04-06 at 16:26 +0200, Michael Osipov wrote:

Hi folks,

I have finally started coding of that issue. While I was able to write a
working prototype within an hour authenticating against Apache Tomcat
and Apache Web Server, an issue arose I am not really clear about:

Is a credentials provider always necessary for a target host?


Yes, it is.


Thanks, that did the trick!


In other
words, do I always need something like this:
CredentialsProvider p = new BasicCredentialsProvider();
p.setCredentials(AuthScope.ANY, new
UsernamePasswordCredentials("mumu:mumu"));
builder.setDefaultCredentialsProvider(p);

Although the credential is by default obtained at runtime?
I have noticed that authentication is not executed if no cred provider
is set and the logs are not very chatty about that.



This whole concept of the auth APIs goes back to the days of HC 2.0 and
it remained virtually unchanged in HC 3.x and HC 4.x. The auth APIs were
primarily designed to work well with standard auth schemes like BASIC
and DIGEST and similar password based auth schemes. Things like Kerberos
and native Windows auth were not properly factored it at that point of
time. We can think of a better abstraction for HC 5, but for now we will
have to live with what we have.


I'll keep that in mind.
While I have gained some progress now, the client is not behaving the way I expect it. The AuthScheme impl is called, sends the first token which is accepted by the server and the response token is sent. That is, unfortunately, completely ignored. The HttpAuthenticator says "Authentication succeeded" and ignores #isConnetionBased and #isCompleted. Here is a wire log: 

Requesting: http://server.company.net:8080/manager/html
[main] DEBUG org.apache.http.client.protocol.RequestAddCookies - CookieSpec selected: default [main] DEBUG org.apache.http.client.protocol.RequestAuthCache - Auth cache not set in the context [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection request: [route: {}->http://server.company.net:8080][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20] [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection leased: [id: 0][route: {}->http://server.company.net:8080][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20] [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Opening connection {}->http://server.company.net:8080 [main] DEBUG org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connecting to server.company.net/1.2.3.4:8080 [main] DEBUG org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connection established 2.3.4.5:44647<->1.2.3.4:8080 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing request GET /manager/html HTTP/1.1 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth state: UNCHALLENGED [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth state: UNCHALLENGED [main] DEBUG org.apache.http.headers - http-outgoing-0 >> GET /manager/html HTTP/1.1 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Host: server.company.net:8080 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Connection: Keep-Alive [main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent: Apache-HttpClient/UNAVAILABLE (Java/1.7.0_76) [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Accept-Encoding: gzip,deflate [main] DEBUG org.apache.http.headers - http-outgoing-0 << HTTP/1.1 401 Unauthorized [main] DEBUG org.apache.http.headers - http-outgoing-0 << Server: Apache-Coyote/1.1 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Cache-Control: private [main] DEBUG org.apache.http.headers - http-outgoing-0 << Expires: Thu, 01 Jan 1970 01:00:00 CET [main] DEBUG org.apache.http.headers - http-outgoing-0 << WWW-Authenticate: Negotiate [main] DEBUG org.apache.http.headers - http-outgoing-0 << Content-Type: text/html;charset=utf-8 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Content-Length: 974 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Date: Mon, 06 Apr 2015 19:43:27 GMT [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection can be kept alive indefinitely [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Authentication required [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - server.company.net:8080 requested authentication [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - Authentication schemes in the order of preference: [Negotiate, Kerberos, NTLM, Digest, Basic] [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Kerberos authentication scheme not available [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for NTLM authentication scheme not available [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Digest authentication scheme not available [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Basic authentication scheme not available [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Selected authentication options: [NEGOTIATE] [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing request GET /manager/html HTTP/1.1 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth state: CHALLENGED [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Generating response to an authentication challenge using Negotiate scheme [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - Using HttpContext org.apache.http.client.protocol.HttpClientContext@cc357d [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - Starting GSS-based authentication for scheme 'Negotiate' (1.3.6.1.5.5.2) [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - GSS context for target host with SPN 'h...@server.company.net' created [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - GSS context establishment is in progress [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth state: UNCHALLENGED [main] DEBUG org.apache.http.headers - http-outgoing-0 >> GET /manager/html HTTP/1.1 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Host: server.company.net:8080 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Connection: Keep-Alive [main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent: Apache-HttpClient/UNAVAILABLE (Java/1.7.0_76) [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Accept-Encoding: gzip,deflate [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Authorization: Negotiate YIIYwwYGKwY... 
[main] DEBUG org.apache.http.headers - http-outgoing-0 << HTTP/1.1 200 OK
[main] DEBUG org.apache.http.headers - http-outgoing-0 << Server: Apache-Coyote/1.1 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Cache-Control: private [main] DEBUG org.apache.http.headers - http-outgoing-0 << Expires: Thu, 01 Jan 1970 01:00:00 CET [main] DEBUG org.apache.http.headers - http-outgoing-0 << WWW-Authenticate: Negotiate oYHtMIHqoAM... 
[main] DEBUG org.apache.http.headers - http-outgoing-0 << Connection: close
[main] DEBUG org.apache.http.headers - http-outgoing-0 << Set-Cookie: JSESSIONID=190AF68553CDB68F46FCB330D4A2CC61; Path=/manager; HttpOnly [main] DEBUG org.apache.http.headers - http-outgoing-0 << Content-Type: text/html;charset=utf-8 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Transfer-Encoding: chunked [main] DEBUG org.apache.http.headers - http-outgoing-0 << Content-Encoding: gzip [main] DEBUG org.apache.http.headers - http-outgoing-0 << Vary: Accept-Encoding [main] DEBUG org.apache.http.headers - http-outgoing-0 << Date: Mon, 06 Apr 2015 19:43:27 GMT [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Authentication succeeded [main] DEBUG org.apache.http.client.protocol.ResponseProcessCookies - Cookie accepted [JSESSIONID="190AF68553CDB68F46FCB330D4A2CC61", version:0, domain:server.company.net, path:/manager, expiry:null] 
[...response body...]
[main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: Shutdown connection [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection discarded [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: Close connection [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 0][route: {}->http://server.company.net:8080][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
My IN_PROGRESS case is never triggered and the response token is not read by #parseChallenge.
While I do not intend to debug all necessary auth code, I highly suspect that the client does not call the AuthScheme impl just because the server responses with 200 OK along with the token.
Edit: I did a quick hack AuthenticationStrategyImpl#isAuthenticationRequested to accept 200 OK too and it did continue auth and completes the context but the response is completely discarded and another request is issued. 

Any ideas?

Michael

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

Reply via email to