[jira] [Commented] (HTTPCLIENT-1625) Completely overhaul GSS-API-based authentication backend

Sun, 09 Feb 2020 14:21:54 -0800 


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1625?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17033307#comment-17033307
 ] 

Matthias Küspert commented on HTTPCLIENT-1625:
----------------------------------------------

[~michael-o], thanks again for sharing your knowledge. However, since no better 
alternative seems available I'll keep the current solution. Since we're in a 
(heavily controlled/secured) intranet it's really mostly about SSO 
authentication and a MITM attack is quite unlikely.

Just for better understanding: I see I get back a ticket I can use for 
authentication with my server ... so everything seems to be Ok at first glance. 
I can live with that for the moment. What do you mean with '_it never completes 
the security loop_'? Isn't the loop finished when the authentication is done 
and I got all the data for creating the auth-header?

Another thing: I've read a bit into RFC 7546 and saw this sentence '_This 
document brings all the requirements together into one place for the 
convenience of implementors_'. Still I do not get the methods described there 
aligned with RFC 5653, 2743 and 4559. Is there a higher level 
overview/documentation available?

To implement these protocols correctly seems a really daunting task.

> Completely overhaul GSS-API-based authentication backend
> --------------------------------------------------------
>
>                 Key: HTTPCLIENT-1625
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1625
>             Project: HttpComponents HttpClient
>          Issue Type: Task
>          Components: Documentation, HttpClient (classic)
>    Affects Versions: 4.5
>            Reporter: Michael Osipov
>            Assignee: Michael Osipov
>            Priority: Major
>              Labels: stuck, volunteers-wanted
>             Fix For: Stuck
>
>
> The current implementation does not reflect the way GSS-API-based 
> authentication should be done. It has several design flaws.
> This is an umbrella task for:
> 1. Deprecate all old classes
> 2. Investigate how it has to be plugged into HttpClient
> 3. Reimplement from scratch
> 4. Thoroughly test all new stuff
> 5. Rewrite documentation
> Design notes are canonically available under: 
> https://wiki.apache.org/HttpComponents/IssueTracking/HTTPCLIENT-1625



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to