Yes. Does the below summary sound ok? Not sure how can I get the
socket reference in the auth supplier, but I haven't really looked too hard.
Once I have it ready, I can do a pull request in github or a patch here
or whatever. What's your preference?
The document http://cxf.apache.org/coding-guidelines.html doesn't seem
too stringent, I'll be careful I promise!
Thanks,
David
On 04/28/2015 06:54 AM, Colm O hEigeartaigh wrote:
Would you be willing to submit a patch for this?
Colm.
On Mon, Apr 27, 2015 at 5:44 PM, David Mansfield <[email protected]> wrote:
Hi All,
Most (*) SPNEGO client implementations will canonicalize a host name when
using it to create a service principal.
CXF seems to be an exception. If a CNAME is used, say:
mywebservice.example.com is a CNAME for
sysadmins-like-really-long-hostnames.example.com, most setups will expect
a request for HTTP/
[email protected]. In this
case, CXF will not be able to authenticate.
I note, is IS possible to specify the servicePrincipalName directly, but
that breaks the transparency of using a CNAME in the first place, as the
configuration will need to reference the specific back-end providing the
service.
Providing hostname canonicalization will fix the need to "know" about the
details behind the scenes.
As this behavior would be a defaults-changing one, maybe we could add
useCanonicalHostname=true/false (default false I guess).
Implementation-wise, I think you need to get the socket, and then:
socket.getInetAddress().getCanonicalHostName()
This would replace:
uri.getHost()
that is currently used in
org.apache.cxf.transport.http.auth.AbstractSpnegoAuthSupplier
(*) Most that I have personally used :-)
--
Thanks,
David Mansfield
Cobite, INC.
