Would you be willing to submit a patch for this? Colm.
On Mon, Apr 27, 2015 at 5:44 PM, David Mansfield <[email protected]> wrote: > Hi All, > > Most (*) SPNEGO client implementations will canonicalize a host name when > using it to create a service principal. > > CXF seems to be an exception. If a CNAME is used, say: > mywebservice.example.com is a CNAME for > sysadmins-like-really-long-hostnames.example.com, most setups will expect > a request for HTTP/ > [email protected]. In this > case, CXF will not be able to authenticate. > > I note, is IS possible to specify the servicePrincipalName directly, but > that breaks the transparency of using a CNAME in the first place, as the > configuration will need to reference the specific back-end providing the > service. > > Providing hostname canonicalization will fix the need to "know" about the > details behind the scenes. > > As this behavior would be a defaults-changing one, maybe we could add > useCanonicalHostname=true/false (default false I guess). > > Implementation-wise, I think you need to get the socket, and then: > > socket.getInetAddress().getCanonicalHostName() > > This would replace: > uri.getHost() > > that is currently used in > org.apache.cxf.transport.http.auth.AbstractSpnegoAuthSupplier > > > (*) Most that I have personally used :-) > > -- > Thanks, > David Mansfield > Cobite, INC. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
