[
https://issues.apache.org/jira/browse/HTTPCLIENT-1625?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14483787#comment-14483787
]
Michael Osipov commented on HTTPCLIENT-1625:
--------------------------------------------
Hi Moritz,
just checked your code. It does something completely different and uses the
current implementation, which does not work by the way. Just a question: why do
you need preemptive auth here? A {{GET}} with 401 is extremely cheap and
{{POST}} and {{PUT}} with curl against Tomcat with SPNEGO is a snap.
Yes, you are right. I wouldn't recommend it to anyone right now.
About the port thing, I have not found anything about that in the RFC 4120,
chapter 6.2.1. So, this is solely Microsoft. I (highly) doubt that JGSS and MIT
Kerberos support that. Though, I have searched our forest for a SPN with HTTP
and port and did not find one. We have more than 20 realms with thousands of
hosts. The only port-related SPNs were for SQL Server. I can try that with a
standalone client against SQL Server and will add this alter as a runtime
parameter.
Regarding your suggestion. Deciding about preemption is not the task of the
authenticator but solely of the client. What server does not keep state? At
least my SPNEGO authenticator for Tomcat does not do that but this has nothing
to do with connection state. My impl works flawlessly with MIT Kerberos, JGSS
and SSPI.
Currently, I have a bigger problem doing things right because HttpClient
assumes every auth scheme being a challenge/response mech which Kerberos isn't.
It's the opposite. You can follow the discussion
[here](http://www.mail-archive.com/[email protected]/msg14632.html) and you may
have some helping ideas.
> Completely overhaul GSS-API-based authentication backend
> --------------------------------------------------------
>
> Key: HTTPCLIENT-1625
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1625
> Project: HttpComponents HttpClient
> Issue Type: Task
> Components: Documentation, HttpAuth, HttpClient
> Affects Versions: 4.5 Alpha1
> Reporter: Michael Osipov
> Assignee: Michael Osipov
> Fix For: 4.5 Alpha1
>
>
> The current implementation does not reflect the way GSS-API-based
> authentication should be done. It has several design flaws.
> This is an umbrella task for:
> 1. Deprecate all old classes
> 2. Investigate how it has to be plugged into HttpClient
> 3. Reimplement from scratch
> 4. Thoroughly test all new stuff
> 5. Rewrite documentation
> Design notes are canonically available under:
> https://wiki.apache.org/HttpComponents/IssueTracking/HTTPCLIENT-1625
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
