Thanks for handling Artem. I'll leave the main review to someone more
knowledgeable with http authentication schemes but can I suggest that
your print the AuthenticationHeader.authPref string out with the
"Negotiate process failed, fallback" logger message. It's a useful
variable to capture.
Regards,
Sean.
On 07/10/2015 12:19, Artem Smotrakov wrote:
Hello,
Please review this for 9.
According to [1], an HTTP client should try to use another HTTP
authentication scheme if negotiate process failed for some reason, and
a user didn't specify SPNEGO or Kerberos in "http.auth.preference"
system property. But no fallback happens if, for example:
- an HTTP server supports both Negotiate (via Kerberos) and Basic
authentication schemes
- first, a user provides correct Kerberos credentials, and a
connection is successfully established with Negotiate scheme
- then, a user provides wrong Kerberos credentials, but correct Basic
credentials
This fix updates HttpURLConnection to try another authentication
scheme negotiate process failed, and SPNEGO and Kerberos schemes are
not preferred. The fix may be shorter, for example:
if ( serverAuthentication != null || inNegotiate &&
!"negotiate".equals(AuthenticationHeader.authPref)) {
, but I thought that some logging might be helpful.
Also added a test which checks this and a couple of other scenarios
work fine.
Bug: https://bugs.openjdk.java.net/browse/JDK-8138953
Webrev: http://cr.openjdk.java.net/~asmotrak/8138953/webrev.00/
[1]
https://docs.oracle.com/javase/8/docs/technotes/guides/net/http-auth.html
Artem