Hi All,
Most (*) SPNEGO client implementations will canonicalize a host name
when using it to create a service principal.
CXF seems to be an exception. If a CNAME is used, say:
mywebservice.example.com is a CNAME for
sysadmins-like-really-long-hostnames.example.com, most setups will
expect a request for
HTTP/[email protected]. In
this case, CXF will not be able to authenticate.
I note, is IS possible to specify the servicePrincipalName directly, but
that breaks the transparency of using a CNAME in the first place, as the
configuration will need to reference the specific back-end providing the
service.
Providing hostname canonicalization will fix the need to "know" about
the details behind the scenes.
As this behavior would be a defaults-changing one, maybe we could add
useCanonicalHostname=true/false (default false I guess).
Implementation-wise, I think you need to get the socket, and then:
socket.getInetAddress().getCanonicalHostName()
This would replace:
uri.getHost()
that is currently used in
org.apache.cxf.transport.http.auth.AbstractSpnegoAuthSupplier
(*) Most that I have personally used :-)
--
Thanks,
David Mansfield
Cobite, INC.
