[
https://issues.apache.org/jira/browse/HTTPCLIENT-2402?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18033131#comment-18033131
]
Istvan Toth commented on HTTPCLIENT-2402:
-----------------------------------------
Thank you [~olegk] .
Yes, the only remaining issue is the propagation of the security context which
is demonstrated by #744.
I do not consider this blocking HTTPCLIENT-2358 , as there is still a valid to
way to use SPNEGO it with any Java version.
The shims for the API changes are already included in HTTPCLIENT-2358 , and
you've just merged the doPrivileged removal.
The security context propagation changes break a specific use case of Asnyc +
SPNEGO.
This is independent of the new SPNEGO mechanism, the old deprecated mechanism
and the new one are affected in the same way.
There are two ways to specify the Credentials for SPNEGO:
- *Explicit* configuration: Add them to a CredentialsProvider and set that for
the Connections (similar to how password auth is set up)
- *Implicit* configuration: You can omit the CredentialsProvider provider
configuration and call HttpClient from a Subject.DoAs() blovk that sets the
JAAS security Context.
The SPNEGO mechanism will fall back to this if the configured
_CredentialsProvider_ does not include a _GssCredentials_ object.
The explicit configuration works without any problems with any Java version for
either (sync/async) client, both for the old and new SPNEGO implementation.
The implicit configuration works for the Synchronous client for any Java
version, because the SPNEGO/GSSAPI authentication happens in the same thread
that the request was made from.
For the Async client (both the old and new SPEGO impl), it kind of works up to
Java 21, but the client will use the Subject from the Thread where the client
object was created, as the worked threads are started immediately, and the
Subject is propagated to them from that thread. (as opposed to using the
Subject of Thread that the request was made from).
Due to the Subject propagation changes for Java 22+ the implicit configuration
does not work at all for the Async client, the explicit configuration must be
used (for both the old and new SPEGO impl).
For reference, this is the test for the explicit config for the sync client:
[https://github.com/stoty/httpcomponents-client/blob/21c58815054c5e182b78ab8967d458adb9451354/httpclient5-testing/src/test/java/org/apache/hc/client5/testing/compatibility/sync/HttpClientCompatibilityTest.java#L191]
And this is for the implicit one:
[https://github.com/stoty/httpcomponents-client/blob/21c58815054c5e182b78ab8967d458adb9451354/httpclient5-testing/src/test/java/org/apache/hc/client5/testing/compatibility/sync/HttpClientCompatibilityTest.java#L199]
targetCreds is a _GssCredentials_ object which contains the credentials.
This is the test demonstrating the implicit configuration behaviour the Async
client:
[https://github.com/stoty/httpcomponents-client/blob/9737020bd67b45cf764dd381507c7e41cb20fbb1/httpclient5-testing/src/test/java/org/apache/hc/client5/testing/compatibility/sync/HttpClientCompatibilityTest2.java#L230]
This works up to Java 21 (because we're creating the client inside the
doAs()/callAs() block), but fails with Java 22+.
My opinion is that restoring the subject propagation behaviour in Java 22+ is
more trouble than it's worth, and we should simply document that the implicit
SPNEGO configuration is not supported for the Async client.
> Handle SecurityManager removal
> ------------------------------
>
> Key: HTTPCLIENT-2402
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2402
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Reporter: Istvan Toth
> Priority: Major
>
> There are two aspect to these changes:
> - replacing Subject.doAs() with Subject.callAs()
> - handling the changed thread semantics, where the Current Subject is nonger
> propagated to new Threads.
> Httpclient doesn't currently use the disabled methods.
> They are used in HTTPCLIENT-2358, which already includes the SecurityUtils to
> map the doAs/CallAs function based on the JVM version.
> The Subject propagation issue breaks SPNEGO authentication for the Async
> client, as the Subject is no longer propagated to the executor threads for
> the Async operations.
> There is no current test for that, I will add new tests to HTTPCLIENT-2358 to
> cover this case.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
