[jira] [Created] (HTTPCLIENT-1972) Kerberos/SPNego Negotiate not working correctly?

Wed, 27 Feb 2019 08:49:31 -0800 

Michel Jung created HTTPCLIENT-1972:
---------------------------------------

             Summary: Kerberos/SPNego Negotiate not working correctly?
                 Key: HTTPCLIENT-1972
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1972
             Project: HttpComponents HttpClient
          Issue Type: Bug
          Components: HttpClient (classic)
    Affects Versions: 4.5.7
         Environment: Windows 10, JDK 8 u191
            Reporter: Michel Jung


I don't understand much of Kerberos/SPNego and how it's implemented, but 
something seem to be off.

It's about this method from {{org.apache.http.impl.auth.GGSSchemeBase}}:
{code:java}
@Override
protected void parseChallenge(
        final CharArrayBuffer buffer,
        final int beginIndex, final int endIndex) throws 
MalformedChallengeException {
    final String challenge = buffer.substringTrimmed(beginIndex, endIndex);
    if (log.isDebugEnabled()) {
        log.debug("Received challenge '" + challenge + "' from the auth 
server");
    }
    if (state == State.UNINITIATED) {
        token = Base64.decodeBase64(challenge.getBytes());
        state = State.CHALLENGE_RECEIVED;
    } else {
        log.debug("Authentication already attempted");
        state = State.FAILED;
    }
}{code}
In my case, it's first called for "Negotiate" (without a value) so that 
{{challenge}} is an empty string, resulting in an empty token.

After that, the method is called a second time for "Negotiate 
<someBase64String>" but since the state is no longer {{UNINITIATED}} , the 
authentication fails.

Comparing this to the implementation of 
{{org.apache.http.impl.auth.win.WindowsNegotiateScheme}}:
{code:java}
@Override
protected void parseChallenge(
        final CharArrayBuffer buffer,
        final int beginIndex,
        final int endIndex) throws MalformedChallengeException {
    this.challenge = buffer.substringTrimmed(beginIndex, endIndex);

    if (this.challenge.isEmpty()) {
        if (clientCred != null) {
            dispose(); // run cleanup first before throwing an exception 
otherwise can leak OS resources
            if (continueNeeded) {
                throw new RuntimeException("Unexpected token");
            }
        }
    }
}{code}
Here, there case described above is handled correctly; an empty challenge isn't 
processed.

Unfortunately, I can't use {{WindowsNegotiateScheme}} as I need to use a keytab 
file and specify my own user, and I prefer a platform-independent solution 
anyways.

Is the first implementation buggy or am I doing something wrong? Is there a way 
to work around this?

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to