[jira] [Commented] (HTTPCLIENT-1625) Completely overhaul GSS-API-based authentication backend

Tue, 11 Feb 2020 10:22:29 -0800 


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1625?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17034693#comment-17034693
 ] 

Matthias Küspert commented on HTTPCLIENT-1625:
----------------------------------------------

[~michael-o], hope you will get better soon.
{quote}No, you have to go the hard way: READ. As sad as it sounds. That's the 
reason why 90% get it wrong.
{quote}
I feared you'd answer that. However, since you dived that deep into it, maybe 
you are the best candidate to write an article about it. I'm sure many 
developers out there would appreciate your insights about the journey to GSS 
and the three-headed guard dog.

For my part I'm Ok with the current solution. I understand your chase for a 
correct implementation - it's important for a widely used lib like Apache HC. 
But in my case it's an intranet application which is IMHO not forced to secure 
against MITM attacks. The main goals of my project leads are to identify a user 
with reasonable effort.

However, because I'm interested, I will start to read as far as my budget 
allows ;) We will switch to Apache HC-5 as soon as it is available via Spring 
KerberosRestTemplate.

Thanks

> Completely overhaul GSS-API-based authentication backend
> --------------------------------------------------------
>
>                 Key: HTTPCLIENT-1625
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1625
>             Project: HttpComponents HttpClient
>          Issue Type: Task
>          Components: Documentation, HttpClient (classic)
>    Affects Versions: 4.5
>            Reporter: Michael Osipov
>            Assignee: Michael Osipov
>            Priority: Major
>              Labels: stuck, volunteers-wanted
>             Fix For: Stuck
>
>
> The current implementation does not reflect the way GSS-API-based 
> authentication should be done. It has several design flaws.
> This is an umbrella task for:
> 1. Deprecate all old classes
> 2. Investigate how it has to be plugged into HttpClient
> 3. Reimplement from scratch
> 4. Thoroughly test all new stuff
> 5. Rewrite documentation
> Design notes are canonically available under: 
> https://wiki.apache.org/HttpComponents/IssueTracking/HTTPCLIENT-1625



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to