Re: client-side support for Negotiate authentication scheme

Thu, 28 Aug 2008 06:11:14 -0700 

Hi Roman,
nice for the code. Because I only changes the code of the JAX-RS extension, this is a job for Jerome or Thierry. I hope they will include it. 

best regards
  Stephan

Roman Geus schrieb:

Hi Stephan


The NegotiateFilter, together with an example client and server is 
attached to this post.



You are free to add this code to the Restlet codebase if you find it 
useful. Since I borrowed some ideas and code from Bruno Harbulot's 
SpnegoFilter, he should be consulted as well. Also IMHO more testing 
is needed.


The README file:

NegotiateFilter is a Restlet filter that implements Negotiate and Basic

authentication on both the client and the server side. The server 
accepts both

SPNEGO and Kerberos v5 GSSAPI tokens.

It comes with a runnable test client and test server.


The code has only been tested in a Windows Active Directory 
environment but

should work with any Kerberos v5 infrastructure.


The code has been tested with Restlet 1.1rc1 with a patched version 
of the
com.noelios.restlet.authentication.AuthenticationUtils.parseAuthenticateHeader() 


method (see mailing list).


The jaas.conf file and the some constants in ExampleClient.java and 
some system

properties contain site-specific information and need to be adjusted.

Also a working keytab file and krb5.conf file (or similar) are needed.

See the *.launch file for information how to set the system properties.

NegotiateFilter is based on Bruno Harbulot's SpnegoFilter.

Roman Geus

Cheers,
Roman


Stephan Koops wrote:

Hi Roman,


cool. Could you share the full filter class(es?) to be added to the 
Restlet API?


best regards
   Stephan

Roman Geus schrieb:

Hi all


I have been working on a Filter that implements client and server 
side HTTP Negotiate and Basic authentication. The code is based on 
Bruno Harbulot's nice SpnegoFilter.



Everything works fine so far. However to get the client-side 
authentication working I had to change the parseAuthenticateHeader() 
method in the com.noelios.restlet.authentication.AuthenticationUtils 
class a bit.



The original implementation (version 1.1rc1) fails to locate the 
correct AuthenticationHelper, if the realm parameter is missing in 
the authenticate header, as e.g. for the Negotiate scheme.


Would it be possible to fix for this problem?

The diff for my quick fix is attached.

Best regards,
Roman

























					Reply via email to