You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hc.apache.org by "Balouin (Jira)" <ji...@apache.org> on 2021/06/11 12:17:00 UTC

[jira] [Created] (HTTPCLIENT-2162) SSPI-based auth might fail if output token size is too small

Balouin created HTTPCLIENT-2162:
-----------------------------------

             Summary: SSPI-based auth might fail if output token size is too small
                 Key: HTTPCLIENT-2162
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2162
             Project: HttpComponents HttpClient
          Issue Type: Bug
          Components: HttpClient (classic)
    Affects Versions: 4.5
         Environment: RTC v6061
Apache v4.5
            Reporter: Balouin


This bug refers to a previous Apache bug https://issues.apache.org/jira/browse/HTTPCLIENT-1582 for the same token size issue.

We have a customer who reported the following related issue : The Integrated Windows Authentication in RTC clients (both Eclipse and Visual Studio) doesn't work when the user's token size is higher than 12288 bytes, because the Apache HTTP library used by RTC uses this hardcoded constant that is too small.

{color:#172b4d}The involved users are from i-micro and i-method teams and they are technical referents for the developers respectively local and mainframe.{color}
{color:#172b4d}So they have access to a lot of data, which gives them a much bigger security token because it contains more information than a "normal" developer.{color}
{color:#1d1c1d}{color:#172b4d}Potentially about a hundred users are impacted with this IWA problem.{color}
{color}

We would therefore like to submit a pull request for your team.

Indeed they found a solution , but it first needs to be fixed in Apache and then , the RTC /Foundation development team would deliver a final solution with that fix.
The patch does not modify the Sspi.MAX_TOKEN_SIZE constant in JNA.
It adds a change to org.apache.http.impl.auth.win.WindowsNegotiateScheme#‌getToken in order to either use the existing Sspi.MAX_TOKEN_SIZE constant or, when present use instead the org.apache.http.maxKerberosTokenSize property.
This allows specifying for example "-Dorg.apache.http.maxKerberosTokenSize=32767" on the Java command line (or in eclipse.ini, scm.ini, etc.) in order to allocate a bigger buffer to fit the Kerberos token.

Thanks for your help.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org