[Fwd: [jira] Commented: (HTTPCLIENT-917) When authentication is invalidated during redirection, proxy authentication also should be invalidated]

[Karl Wright <kw...@metacarta.com>]

Please see the response from Oleg Kalnichevski on the HttpClient team, pertaining to my submitted NTLM patch.

Reading between the lines, it's apparently the policy of Apache Legal to avoid any involvement that may *potentially* run afoul 
of commercial IP.  They don't have to actually have reason to believe that Apache code would infringe; the mere potential is enough.

If that is indeed the legal policy, we'll have to find some way to address this problem in LCF.  By my estimate, that would mean 
we could deliver only the file system connector completely free of all such restrictions.  We may be able to release a 
watered-down RSS and Web connector as well, but basically we'd need to find a way to make available a real NTLM implementation 
to people - and by definition, that can't be through Apache.

I'm going to talk this issue over with people here - maybe we can set up an open-source project here whose sole purpose is to 
add NTLM support to HttpClient.

Karl

Re: [Fwd: [jira] Commented: (HTTPCLIENT-917) When authentication is invalidated during redirection, proxy authentication also should be invalidated]

[Grant Ingersoll <gs...@apache.org>]

On Feb 24, 2010, at 12:12 PM, Karl Wright wrote:

> Karl Wright wrote:
>> Please see the response from Oleg Kalnichevski on the HttpClient team, pertaining to my submitted NTLM patch.
>> Reading between the lines, it's apparently the policy of Apache Legal to avoid any involvement that may *potentially* run afoul of commercial IP.  They don't have to actually have reason to believe that Apache code would infringe; the mere potential is enough.
>> If that is indeed the legal policy, we'll have to find some way to address this problem in LCF.  By my estimate, that would mean we could deliver only the file system connector completely free of all such restrictions.  We may be able to release a watered-down RSS and Web connector as well, but basically we'd need to find a way to make available a real NTLM implementation to people - and by definition, that can't be through Apache.
>> I'm going to talk this issue over with people here - maybe we can set up an open-source project here whose sole purpose is to add NTLM support to HttpClient.
>> Karl
> 
> The recommendation from people here is to perhaps do an HttpClient 4.x addon, also Apache licensed, hosted by Google Code.  We'd want to set it up, of course, so that mere addition of the addon jar out of that project will enable NTLM support in HttpClient.  Otherwise, everything should still build and work - except if NTLM is in use, where some error would be returned instead.

I think we should probably talk specifics on legal-discuss@ with presuming what they say.  Oleg, below, was not saying Legal had rejected it and he was not speaking for legal.  The key is to describe concisely what we are looking to do and then ask for options.


> 
> Alternatively, if nobody likes the google code idea, does lucidimagination want to get involved?  Or can anybody see another solution?
> 
> Karl
> 
> 
>> ------------------------------------------------------------------------
>> Subject:
>> [jira] Commented: (HTTPCLIENT-917) When authentication is invalidated during redirection, proxy authentication also should be invalidated
>> From:
>> "Oleg Kalnichevski (JIRA)" <ji...@apache.org>
>> Date:
>> Wed, 24 Feb 2010 12:28:27 +0000 (UTC)
>> To:
>> kwright@metacarta.com
>> To:
>> kwright@metacarta.com
>>    [ https://issues.apache.org/jira/browse/HTTPCLIENT-917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12837757#action_12837757 ] Oleg Kalnichevski commented on HTTPCLIENT-917:
>> ----------------------------------------------
>> I am not a patent lawyer, so whatever I have to say on the matter has no bearing of what so ever. The only group of people that can make definitive statements on the matter is the ASF legal committee. If they decide it is okay to use algorithms in the ASF code that may _potentially_ be covered by patents held by Microsoft, the matter would be settled. However, given the fact they have been unable to make up their mind about the use of LGPL code in ASF code for years, I would not be holding my breath.
>> Welcome to the wonderful world of ASF bureaucracy.
>> Until this matter is decided upon by the ASF legal people I _personally_ will not touch Microsoft specific code with a barge pole. If MetaCarta, Inc have enough lawyers sitting around, good for you. I am just a regular guy writing code at his spare time. A mere potential threat of a lawsuit is enough for me.  I am aware of multiple open-source implementations of the NTLM protocol. However this is not a copyright matter, but that of intellectual property rights. This is about a liability for the use of Microsoft IP in commercial products, not for writing open-source code. The existence of open-source implementations does not prove or disprove anything.
>>> When authentication is invalidated during redirection, proxy authentication also should be invalidated
>>> ------------------------------------------------------------------------------------------------------
>>> 
>>>                Key: HTTPCLIENT-917
>>>                URL: https://issues.apache.org/jira/browse/HTTPCLIENT-917
>>>            Project: HttpComponents HttpClient
>>>         Issue Type: Bug
>>>         Components: HttpClient
>>>   Affects Versions: 3.1 Final
>>>           Reporter: Karl Wright
>>>        Attachments: proxy-auth-invalidate.patch
>>> 
>>> 
>>> This was discovered during use by Lucene Connector Framework, on 3.1.
>>> When a document is fetched through a proxy authenticated with NTLM, and
>>> that document is a redirection (301 or 302), the httpclient fails to
>>> properly use the right proxy credentials on the subsequent document
>>> fetch. This leads to 407 errors on these kinds of documents.
>>> I've attached a proposed patch.
> 
> 
> 
> 

Re: [Fwd: [jira] Commented: (HTTPCLIENT-917) When authentication is invalidated during redirection, proxy authentication also should be invalidated]

[Karl Wright <kw...@metacarta.com>]

Karl Wright wrote:
> Please see the response from Oleg Kalnichevski on the HttpClient team, 
> pertaining to my submitted NTLM patch.
> 
> Reading between the lines, it's apparently the policy of Apache Legal to 
> avoid any involvement that may *potentially* run afoul of commercial 
> IP.  They don't have to actually have reason to believe that Apache code 
> would infringe; the mere potential is enough.
> 
> If that is indeed the legal policy, we'll have to find some way to 
> address this problem in LCF.  By my estimate, that would mean we could 
> deliver only the file system connector completely free of all such 
> restrictions.  We may be able to release a watered-down RSS and Web 
> connector as well, but basically we'd need to find a way to make 
> available a real NTLM implementation to people - and by definition, that 
> can't be through Apache.
> 
> I'm going to talk this issue over with people here - maybe we can set up 
> an open-source project here whose sole purpose is to add NTLM support to 
> HttpClient.
> 
> Karl
> 
> 

The recommendation from people here is to perhaps do an HttpClient 4.x addon, also Apache licensed, hosted by Google Code.  We'd 
want to set it up, of course, so that mere addition of the addon jar out of that project will enable NTLM support in HttpClient. 
  Otherwise, everything should still build and work - except if NTLM is in use, where some error would be returned instead.

Alternatively, if nobody likes the google code idea, does lucidimagination want to get involved?  Or can anybody see another 
solution?

Karl


> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> [jira] Commented: (HTTPCLIENT-917) When authentication is invalidated 
> during redirection, proxy authentication also should be invalidated
> From:
> "Oleg Kalnichevski (JIRA)" <ji...@apache.org>
> Date:
> Wed, 24 Feb 2010 12:28:27 +0000 (UTC)
> To:
> kwright@metacarta.com
> 
> To:
> kwright@metacarta.com
> 
> 
>     [ https://issues.apache.org/jira/browse/HTTPCLIENT-917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12837757#action_12837757 ] 
> 
> Oleg Kalnichevski commented on HTTPCLIENT-917:
> ----------------------------------------------
> 
> I am not a patent lawyer, so whatever I have to say on the matter has no bearing of what so ever. The only group of people that can make definitive statements on the matter is the ASF legal committee. If they decide it is okay to use algorithms in the ASF code that may _potentially_ be covered by patents held by Microsoft, the matter would be settled. However, given the fact they have been unable to make up their mind about the use of LGPL code in ASF code for years, I would not be holding my breath.
> 
> Welcome to the wonderful world of ASF bureaucracy.
> 
> Until this matter is decided upon by the ASF legal people I _personally_ will not touch Microsoft specific code with a barge pole. If MetaCarta, Inc have enough lawyers sitting around, good for you. I am just a regular guy writing code at his spare time. A mere potential threat of a lawsuit is enough for me.  
> 
> I am aware of multiple open-source implementations of the NTLM protocol. However this is not a copyright matter, but that of intellectual property rights. This is about a liability for the use of Microsoft IP in commercial products, not for writing open-source code. The existence of open-source implementations does not prove or disprove anything.
> 
>> When authentication is invalidated during redirection, proxy authentication also should be invalidated
>> ------------------------------------------------------------------------------------------------------
>>
>>                 Key: HTTPCLIENT-917
>>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-917
>>             Project: HttpComponents HttpClient
>>          Issue Type: Bug
>>          Components: HttpClient
>>    Affects Versions: 3.1 Final
>>            Reporter: Karl Wright
>>         Attachments: proxy-auth-invalidate.patch
>>
>>
>> This was discovered during use by Lucene Connector Framework, on 3.1.
>> When a document is fetched through a proxy authenticated with NTLM, and
>> that document is a redirection (301 or 302), the httpclient fails to
>> properly use the right proxy credentials on the subsequent document
>> fetch. This leads to 407 errors on these kinds of documents.
>> I've attached a proposed patch.
>