[
https://issues.apache.org/jira/browse/HTTPCLIENT-1972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16779676#comment-16779676
]
Michael Osipov commented on HTTPCLIENT-1972:
--------------------------------------------
The problem isn't even money, it is just time. I have to finish a server or
two. This issue is actually important to a project at work, so expect me to
pick this up soon, but the fix won't land in 4.x because the auth subsystem
cannot be refitted. It will land in 5.0.
> Kerberos/SPNego Negotiate not working correctly?
> ------------------------------------------------
>
> Key: HTTPCLIENT-1972
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1972
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic)
> Affects Versions: 4.5.7
> Environment: Windows 10, JDK 8 u191
> Reporter: Michel Jung
> Priority: Major
> Labels: stuck, volunteers-wanted
> Fix For: Stuck
>
>
> I don't understand much of Kerberos/SPNego and how it's implemented, but
> something seem to be off.
> It's about this method from {{org.apache.http.impl.auth.GGSSchemeBase}}:
> {code:java}
> @Override
> protected void parseChallenge(
> final CharArrayBuffer buffer,
> final int beginIndex, final int endIndex) throws
> MalformedChallengeException {
> final String challenge = buffer.substringTrimmed(beginIndex, endIndex);
> if (log.isDebugEnabled()) {
> log.debug("Received challenge '" + challenge + "' from the auth
> server");
> }
> if (state == State.UNINITIATED) {
> token = Base64.decodeBase64(challenge.getBytes());
> state = State.CHALLENGE_RECEIVED;
> } else {
> log.debug("Authentication already attempted");
> state = State.FAILED;
> }
> }{code}
> In my case, it's first called for "Negotiate" (without a value) so that
> {{challenge}} is an empty string, resulting in an empty token.
> After that, the method is called a second time for "Negotiate
> <someBase64String>" but since the state is no longer {{UNINITIATED}} , the
> authentication fails.
> Comparing this to the implementation of
> {{org.apache.http.impl.auth.win.WindowsNegotiateScheme}}:
> {code:java}
> @Override
> protected void parseChallenge(
> final CharArrayBuffer buffer,
> final int beginIndex,
> final int endIndex) throws MalformedChallengeException {
> this.challenge = buffer.substringTrimmed(beginIndex, endIndex);
> if (this.challenge.isEmpty()) {
> if (clientCred != null) {
> dispose(); // run cleanup first before throwing an exception
> otherwise can leak OS resources
> if (continueNeeded) {
> throw new RuntimeException("Unexpected token");
> }
> }
> }
> }{code}
> Here, there case described above is handled correctly; an empty challenge
> isn't processed.
> Unfortunately, I can't use {{WindowsNegotiateScheme}} as I need to use a
> keytab file and specify my own user, and I prefer a platform-independent
> solution anyways.
> Is the first implementation buggy or am I doing something wrong? Is there a
> way to work around this?
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
