On 23 July 2014 12:09, Felix Schumacher <[email protected]> wrote: > Am 23.07.2014 12:27, schrieb sebb: > >> On 22 July 2014 17:19, Felix Schumacher >> <[email protected]> wrote: >>> >>> >>> >>> On 22. Juli 2014 16:50:20 MESZ, sebb <[email protected]> wrote: >>>> >>>> On 18 July 2014 21:06, <[email protected]> wrote: >>>>> >>>>> Author: pmouawad >>>>> Date: Fri Jul 18 20:05:59 2014 >>>>> New Revision: 1611785 >>>>> >>>>> URL: http://svn.apache.org/r1611785 >>>>> Log: >>>>> Bug 56701 - HTTP Authorization Manager/ Kerberos Authentication: add >>>> >>>> port to SPN when server port is neither 80 nor 443 >>>>> >>>>> Add a jmeter property to control behaviour. >>>>> By default strip port. >>>> >>>> >>>> -1. >>>> >>>> As far as I can tell, the patch changes the default behaviour. >>>> The default should be changed, e.g. by setting STRIP_PORT to false by >>>> default. >>> >>> >>> The default was (and should be) to strip ports. I have tested spnego with >>> default option and it worked. >> >> >> No, the default was to strip 80 and 443, not all ports. >> >> Whether the default should be changed is a separate issue. >> >>> Why do you think the default behavior was changed by this commit? >> >> >> Originally, the code used >> >> boolean stripPort = (url.getPort() == HTTPConstants.DEFAULT_HTTP_ >> PORT || url.getPort() == HTTPConstants.DEFAULT_HTTPS_PORT); >> >> Now it effectively uses >> >> boolean stripPort = STRIP_PORT || (url.getPort() == >> HTTPConstants.DEFAULT_HTTP_ >> PORT || url.getPort() == HTTPConstants.DEFAULT_HTTPS_PORT); >> >> Since STRIP_PORT == true by default, this means the stripPort is >> always true by default - it is not affected by the actual port that is >> used. >> >> So the default is now to strip ports. However, that is a change from >> the original code. > > > You are looking at the wrong change then. The default was changed in > r1611028 from strip all to strip non default ports.
OK, I see now. Sorry, I was looking at the change message in isolation. > More details can be found at > https://issues.apache.org/bugzilla/show_bug.cgi?id=56701 > > The change r1611028 made a non default option that was supported by chrome > only, to be the default. That was changed back in r1611785 which you are now > looking at. > > So given this, do you still think that we should change the stripping > behavior to one that > * is only supported in chrome, which is even not the default > * was never released in jmeter and thus introduces changes between released > versions No ... > Or is there anything wrong with the change as such, other then > reestablishing the state before r1611785? No. > Regards > Felix > >> >> >>> Regards >>> Felix >>>> >>>> >>>>> Bugzilla Id: 56701 >>>>> >>>>> Modified: >>>>> jmeter/trunk/bin/jmeter.properties >>>>> >>>> >>>> jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java >>>>> >>>>> jmeter/trunk/xdocs/changes.xml >>>>> jmeter/trunk/xdocs/usermanual/component_reference.xml >>>>> >>>>> Modified: jmeter/trunk/bin/jmeter.properties >>>>> URL: >>>> >>>> >>>> http://svn.apache.org/viewvc/jmeter/trunk/bin/jmeter.properties?rev=1611785&r1=1611784&r2=1611785&view=diff >>>>> >>>>> >>>> >>>> ============================================================================== >>>>> >>>>> --- jmeter/trunk/bin/jmeter.properties (original) >>>>> +++ jmeter/trunk/bin/jmeter.properties Fri Jul 18 20:05:59 2014 >>>>> @@ -337,7 +337,11 @@ log_level.jorphan=INFO >>>>> >>>>> # AuthManager Kerberos configuration >>>>> # Name of application module used in jaas.conf >>>>> -#kerberos_jaas_application=JMeter >>>>> +#kerberos_jaas_application=JMeter >>>>> + >>>>> +# Should ports be stripped from urls before constructing SPNs >>>>> +# for spnego authentication >>>>> +#kerberos.spnego.strip_port=true >>>>> >>>>> # Sample logging levels for Commons HttpClient >>>>> # >>>>> @@ -962,8 +966,8 @@ beanshell.server.file=../extras/startup. >>>>> #jsyntaxtextarea.maxundos=50 >>>>> >>>>> # Maximum size of HTML page that can be displayed; default=200 * >>>> >>>> 1024 >>>>> >>>>> -# Set to 0 to disable the size check >>>>> -#view.results.tree.max_size=0 >>>>> +# Set to 0 to disable the size check and display the whole response >>>>> +#view.results.tree.max_size=204800 >>>>> >>>>> # Order of Renderers in View Results Tree >>>>> # Note full class names should be used for non jmeter core renderers >>>>> >>>>> Modified: >>>> >>>> >>>> jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java >>>>> >>>>> URL: >>>> >>>> >>>> http://svn.apache.org/viewvc/jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java?rev=1611785&r1=1611784&r2=1611785&view=diff >>>>> >>>>> >>>> >>>> ============================================================================== >>>>> >>>>> --- >>>> >>>> >>>> jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java >>>> (original) >>>>> >>>>> +++ >>>> >>>> >>>> jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java >>>> Fri Jul 18 20:05:59 2014 >>>>> >>>>> @@ -96,6 +96,9 @@ public class AuthManager extends ConfigT >>>>> >>>>> private static final boolean DEFAULT_CLEAR_VALUE = false; >>>>> >>>>> + /** Decides whether port should be omitted from SPN for kerberos >>>> >>>> spnego authentication */ >>>>> >>>>> + private static final boolean STRIP_PORT = >>>> >>>> JMeterUtils.getPropDefault("kerberos.spnego.strip_port", true); >>>>> >>>>> + >>>>> public enum Mechanism { >>>>> BASIC_DIGEST, KERBEROS; >>>>> } >>>>> @@ -392,8 +395,7 @@ public class AuthManager extends ConfigT >>>>> log.debug(username + " > D="+domain+" R="+realm + " >>>> >>>> M="+auth.getMechanism()); >>>>> >>>>> } >>>>> if (Mechanism.KERBEROS.equals(auth.getMechanism())) { >>>>> - boolean stripPort = (url.getPort() == >>>> >>>> HTTPConstants.DEFAULT_HTTP_PORT || url.getPort() == >>>> HTTPConstants.DEFAULT_HTTPS_PORT); >>>>> >>>>> - ((AbstractHttpClient) >>>> >>>> client).getAuthSchemes().register(AuthPolicy.SPNEGO, new >>>> SPNegoSchemeFactory(stripPort)); >>>>> >>>>> + ((AbstractHttpClient) >>>> >>>> client).getAuthSchemes().register(AuthPolicy.SPNEGO, new >>>> SPNegoSchemeFactory(isStripPort(url))); >>>>> >>>>> credentialsProvider.setCredentials(new >>>> >>>> AuthScope(null, -1, null), USE_JAAS_CREDENTIALS); >>>>> >>>>> } else { >>>>> credentialsProvider.setCredentials( >>>>> @@ -403,6 +405,24 @@ public class AuthManager extends ConfigT >>>>> } >>>>> } >>>>> >>>>> + /** >>>>> + * IE and Firefox will always strip port from the url before >>>> >>>> constructing >>>>> >>>>> + * the SPN. Chrome has an option >>>> >>>> (<code>--enable-auth-negotiate-port</code>) >>>>> >>>>> + * to include the port if it differs from <code>80</code> or >>>>> + * <code>443</code>. That behavior can be changed by setting the >>>> >>>> jmeter >>>>> >>>>> + * property <code>kerberos.spnego.strip_port</code>. >>>>> + * >>>>> + * @param url to be checked >>>>> + * @return <code>true</code> when port should omitted in SPN >>>>> + */ >>>>> + private boolean isStripPort(URL url) { >>>>> + if (STRIP_PORT) { >>>>> + return true; >>>>> + } >>>>> + return (url.getPort() == HTTPConstants.DEFAULT_HTTP_PORT || >>>>> + url.getPort() == HTTPConstants.DEFAULT_HTTPS_PORT); >>>>> + } >>>>> + >>>>> /** {@inheritDoc} */ >>>>> @Override >>>>> public void testStarted() { >>>>> >>>>> Modified: jmeter/trunk/xdocs/changes.xml >>>>> URL: >>>> >>>> >>>> http://svn.apache.org/viewvc/jmeter/trunk/xdocs/changes.xml?rev=1611785&r1=1611784&r2=1611785&view=diff >>>>> >>>>> >>>> >>>> ============================================================================== >>>>> >>>>> --- jmeter/trunk/xdocs/changes.xml (original) >>>>> +++ jmeter/trunk/xdocs/changes.xml Fri Jul 18 20:05:59 2014 >>>>> @@ -213,7 +213,7 @@ A workaround is to use a Java 7 update 4 >>>>> <h3>Timers, Assertions, Config, Pre- & Post-Processors</h3> >>>>> <ul> >>>>> <li><bugzilla>56691</bugzilla> - Synchronizing Timer : Add timeout >>>> >>>> on waiting</li> >>>>> >>>>> -<li><bugzilla>56701</bugzilla> - HTTP Authorization Manager/ >>>> >>>> Kerberos Authentication: add port to SPN when server port is neither 80 >>>> nor 443</li> >>>>> >>>>> +<li><bugzilla>56701</bugzilla> - HTTP Authorization Manager/ >>>> >>>> Kerberos Authentication: add port to SPN when server port is neither 80 >>>> nor 443. Based on patches from Dan Haughey (dan.haughey at >>>> swinton.co.uk) and Felix Schumacher (felix.schumacher at >>>> internetallee.de)</li> >>>>> >>>>> </ul> >>>>> >>>>> <h3>Functions</h3> >>>>> @@ -253,6 +253,8 @@ A workaround is to use a Java 7 update 4 >>>>> <li>Nicola Ambrosetti (ambrosetti.nicola at gmail.com)</li> >>>>> <li><a href="http://ubikloadpack.com";>Ubik Load Pack >>>> >>>> support</a></li> >>>>> >>>>> <li>Mikhail Epikhin (epihin-m at yandex.ru)</li> >>>>> +<li>Dan Haughey (dan.haughey at swinton.co.uk)</li> >>>>> +<li>Felix Schumacher (felix.schumacher at internetallee.de)</li> >>>>> </ul> >>>>> >>>>> <br/> >>>>> >>>>> Modified: jmeter/trunk/xdocs/usermanual/component_reference.xml >>>>> URL: >>>> >>>> >>>> http://svn.apache.org/viewvc/jmeter/trunk/xdocs/usermanual/component_reference.xml?rev=1611785&r1=1611784&r2=1611785&view=diff >>>>> >>>>> >>>> >>>> ============================================================================== >>>>> >>>>> --- jmeter/trunk/xdocs/usermanual/component_reference.xml (original) >>>>> +++ jmeter/trunk/xdocs/usermanual/component_reference.xml Fri Jul 18 >>>> >>>> 20:05:59 2014 >>>>> >>>>> @@ -3545,6 +3545,18 @@ You can also configure those two propert >>>>> Look at the two sample configuration files (krb5.conf and jaas.conf) >>>> >>>> located in the jmeter bin folder for references to more documentation, >>>> and tweak them to match >>>>> >>>>> your Kerberos configuration. >>>>> </p> >>>>> +<p> >>>>> +When generating a SPN for Kerberos SPNEGO authentication IE and >>>> >>>> Firefox will omit the port number >>>>> >>>>> +from the url. Chrome has an option >>>> >>>> (<code>--enable-auth-negotiate-port</code>) to include the port >>>>> >>>>> +number if it differs from the standard ones (<code>80</code> and >>>> >>>> <code>443</code>). That behavior >>>>> >>>>> +can be emulated by setting the following jmeter property as below. >>>>> +<pre> >>>>> +In jmeter.properties or user.properties, set: >>>>> +<ul> >>>>> +<li>kerberos.spnego.strip_port=false</li> >>>>> +</ul> >>>>> +</pre> >>>>> +</p> >>>>> <br></br> >>>>> <b>Controls:</b> >>>>> <ul> >>>>> >>>>> >>> >
