You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hc.apache.org by ol...@apache.org on 2009/10/12 18:26:38 UTC
svn commit: r824409 - in /httpcomponents/httpclient/trunk: ./
httpclient/src/examples/org/apache/http/examples/client/
httpclient/src/main/java/org/apache/http/impl/auth/ src/docbkx/
Author: olegk
Date: Mon Oct 12 16:26:38 2009
New Revision: 824409
URL: http://svn.apache.org/viewvc?rev=824409&view=rev
Log:
* Removed superfluous SpnegoCreate flag
* Finalized SPNEGO example and tutorial
Modified:
httpcomponents/httpclient/trunk/RELEASE_NOTES.txt
httpcomponents/httpclient/trunk/httpclient/src/examples/org/apache/http/examples/client/ClientKerberosAuthentication.java
httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/impl/auth/NegotiateScheme.java
httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/impl/auth/NegotiateSchemeFactory.java
httpcomponents/httpclient/trunk/src/docbkx/authentication.xml
Modified: httpcomponents/httpclient/trunk/RELEASE_NOTES.txt
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/trunk/RELEASE_NOTES.txt?rev=824409&r1=824408&r2=824409&view=diff
==============================================================================
--- httpcomponents/httpclient/trunk/RELEASE_NOTES.txt (original)
+++ httpcomponents/httpclient/trunk/RELEASE_NOTES.txt Mon Oct 12 16:26:38 2009
@@ -1,6 +1,9 @@
Changes since 4.0
-------------------
+* [HTTPCLIENT-523] Support for SPNEGO authentication scheme.
+ Contributed by Matthew Stevenson <mavricknzwork at yahoo.com>
+
* Simplified configuration of connection managers. Total connection maximum
and maximum connection per route limits can be set using methods of
the class instead of HTTP parameters.
Modified: httpcomponents/httpclient/trunk/httpclient/src/examples/org/apache/http/examples/client/ClientKerberosAuthentication.java
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/trunk/httpclient/src/examples/org/apache/http/examples/client/ClientKerberosAuthentication.java?rev=824409&r1=824408&r2=824409&view=diff
==============================================================================
--- httpcomponents/httpclient/trunk/httpclient/src/examples/org/apache/http/examples/client/ClientKerberosAuthentication.java (original)
+++ httpcomponents/httpclient/trunk/httpclient/src/examples/org/apache/http/examples/client/ClientKerberosAuthentication.java Mon Oct 12 16:26:38 2009
@@ -44,21 +44,14 @@
* <p><b>Information</b></p>
* <p>For the best compatibility use Java >= 1.6 as it supports SPNEGO authentication more
completely.</p>
- * <p><em>NegotiateSchemeFactory</em></p>
- * <p>Has three custom methods</p>
- * <p><em>setStripPort(boolean)</em> - default is false, with strip the port off the Kerberos
- * service name if true. Found useful with JbossNegotiation. Java >= 1.5</p>
- *
- * <p>Below are for Java 1.5.</p>
- *
- * <p><em>setSpnegoCreate(boolean)</em> - defaults to false, try to create an SPNEGO token via
- * the token set in setSpengoGenerator. TODO - merge logic so just setSpengoGenerator</p>
- *
- * <p><em>setSpengoGenerator(new SpnegoTokenGenerator())</em> - default is null, class to use to wrap
+ * <p><em>NegotiateSchemeFactory</em> kas two custom methods</p>
+ * <p><em>#setStripPort(boolean)</em> - default is false, with strip the port off the Kerberos
+ * service name if true. Found useful with JBoss Negotiation. Can be used with Java >= 1.5</p>
+ * <p><em>#setSpengoGenerator(SpnegoTokenGenerator)</em> - default is null, class to use to wrap
* kerberos token. An example is in contrib - <em>org.apache.http.contrib.auth.BouncySpnegoTokenGenerator</em>.
- * Requires use of <a href="http://www.bouncycastle.org/java.html">bouncy castle libs</a>
+ * Requires use of <a href="http://www.bouncycastle.org/java.html">bouncy castle libs</a>.
+ * Useful with Java 1.5.
* </p>
- *
* <p><b>Addtional Config Files</b></p>
* <p>Two files control how Java uses/configures Kerberos. Very basic examples are below. There
* is a large amount of information on the web.</p>
@@ -134,15 +127,8 @@
DefaultHttpClient httpclient = new DefaultHttpClient();
- /*
- * NegotiateSchemeFactory creates the NegotiateScheme instance to be use for each request
- * if using Java 5/6 and IIS7 you can just use the defaults.
- * JbossNegotiate use setStripPort(true), or add service names with ports to kerberos DB.
- * JbossNegotiate needs Java 6 or a SpengoGenerator.
- */
NegotiateSchemeFactory nsf = new NegotiateSchemeFactory();
// nsf.setStripPort(false);
-// nsf.setSpnegoCreate(true);
// nsf.setSpengoGenerator(new BouncySpnegoTokenGenerator());
httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, nsf);
Modified: httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/impl/auth/NegotiateScheme.java
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/impl/auth/NegotiateScheme.java?rev=824409&r1=824408&r2=824409&view=diff
==============================================================================
--- httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/impl/auth/NegotiateScheme.java (original)
+++ httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/impl/auth/NegotiateScheme.java Mon Oct 12 16:26:38 2009
@@ -67,10 +67,6 @@
* Probably a debatable addition.
*/
private boolean stripPort = false;
- /* spnegoCreate is used to generate an SPNEGO wrapper around
- * for JDKs < 1.6.
- */
- private boolean spnegoCreate = false;
private SpnegoTokenGenerator spengoGenerator = null;
@@ -217,9 +213,9 @@
* IIS accepts Kerberos and SPNEGO tokens. Some other servers Jboss, Glassfish?
* seem to only accept SPNEGO. Below wraps Kerberos into SPNEGO token.
*/
- if(isSpnegoCreate() && negotiationOid.toString().equals(KERBEROS_OID)
- && spengoGenerator != null )
+ if (spengoGenerator != null && negotiationOid.toString().equals(KERBEROS_OID)) {
token = spengoGenerator.generateSpnegoDERObject(token);
+ }
if (log.isDebugEnabled()) {
log.info("got token, sending " + token.length + " bytes to server");
@@ -326,24 +322,6 @@
}
/**
- * Sould an attempt be made to wrap Kerberos ticket up as an SPNEGO token.
- * Use only with Java <= 1.5
- * @return
- */
- public boolean isSpnegoCreate() {
- return spnegoCreate;
- }
-
- /**
- * Set to true if an attempt should be made to wrap Kerberos ticket up as an SPNEGO token.
- * Use only with Java <= 1.5
- * @param spnegocreate - set to true do attempt SPNEGO wrapping
- */
- public void setSpnegoCreate(boolean spnegocreate) {
- spnegoCreate = spnegocreate;
- }
-
- /**
* Inject the class to be used to generate an SPNEGO token from a Kerberos ticket.
* Use only with Java <= 1.5 , tested against Jboss Negotiate.
* @param spengoGenerator - An SpnegoTokenGenerator implementation Class
Modified: httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/impl/auth/NegotiateSchemeFactory.java
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/impl/auth/NegotiateSchemeFactory.java?rev=824409&r1=824408&r2=824409&view=diff
==============================================================================
--- httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/impl/auth/NegotiateSchemeFactory.java (original)
+++ httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/impl/auth/NegotiateSchemeFactory.java Mon Oct 12 16:26:38 2009
@@ -39,13 +39,11 @@
public class NegotiateSchemeFactory implements AuthSchemeFactory {
private boolean stripPort = false; // strip port off kerb name
- private boolean spnegoCreate = false; // generate an SPNEGO wrapper for JDKs < 1.6.
private SpnegoTokenGenerator spengoGenerator = null;
public AuthScheme newInstance(final HttpParams params) {
NegotiateScheme negotiateScheme = new NegotiateScheme();
negotiateScheme.setStripPort(stripPort);
- negotiateScheme.setSpnegoCreate(spnegoCreate);
negotiateScheme.setSpengoGenerator(spengoGenerator);
return negotiateScheme;
}
@@ -62,14 +60,6 @@
return stripPort;
}
- public void setSpnegoCreate(boolean spnegoCreate) {
- this.spnegoCreate = spnegoCreate;
- }
-
- public boolean isSpnegoCreate() {
- return spnegoCreate;
- }
-
public void setSpengoGenerator(SpnegoTokenGenerator spengoGenerator) {
this.spengoGenerator = spengoGenerator;
}
Modified: httpcomponents/httpclient/trunk/src/docbkx/authentication.xml
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/trunk/src/docbkx/authentication.xml?rev=824409&r1=824408&r2=824409&view=diff
==============================================================================
--- httpcomponents/httpclient/trunk/src/docbkx/authentication.xml (original)
+++ httpcomponents/httpclient/trunk/src/docbkx/authentication.xml Mon Oct 12 16:26:38 2009
@@ -422,7 +422,8 @@
<section>
<title><literal>SPNEGO</literal> support in HttpClient</title>
<para><literal>SPNEGO</literal> authentication scheme is compatible with Sun Java
- versions 1.5 and up.</para>
+ versions 1.5 and up. However the use of Java >= 1.6 is strongly recommended as it
+ supports <literal>SPNEGO</literal> authentication more completely.</para>
<para>The Sun JRE provides the supporting classes to do nearly all the kerberos and
<literal>SPNEGO</literal> token handling. This means that a lot of the setup is
for the GSS classes. The <classname>NegotiateScheme</classname> is a simple class to
@@ -454,7 +455,7 @@
<section>
<title><literal>login.conf</literal> file</title>
<para>The following configuration is a basic setup that works in Windows XP against both
- <literal>IIS7</literal> and <literal>JbossNegotiate</literal> modules.</para>
+ <literal>IIS</literal> and <literal>JBoss Negotiation</literal> modules.</para>
<para>The system property <literal>java.security.auth.login.config</literal> can be use
to point at the <literal>login.conf</literal> file.</para>
<para><literal>login.conf</literal> content may look like the following:</para>
@@ -536,24 +537,16 @@
<classname>NegotiateSchemeFactory</classname>. </para>
<section>
<title>
- <methodname>setStripPort</methodname>
+ <methodname>#setStripPort(boolean)</methodname>
</title>
<para>Strips the port off service names e.g.
<literal>HTTP/webserver.ad.example.net:8080</literal> ->
<literal>HTTP/webserver.ad.example.net</literal></para>
- <para>Found it useful when using JbossNegotiation.</para>
+ <para>Found it useful when authenticating against JBoss Negotiation.</para>
</section>
<section>
<title>
- <methodname>setSpnegoCreate</methodname>
- </title>
- <para>If using Java 1.5 or a Kerberos ticket an attempt will be made to wrap it up
- into a <literal>SPNEGO</literal> token. Again for JbossNegotiation. II7 accepts
- plain Kerberos tickets.</para>
- </section>
- <section>
- <title>
- <methodname>setSpengoGenerator</methodname>
+ <methodname>#setSpengoGenerator(SpnegoTokenGenerator)</methodname>
</title>
<para>Use this method to inject a custom
<interfacename>SpnegoTokenGenerator</interfacename> class to do the Kerberos
@@ -561,7 +554,9 @@
<classname>BouncySpnegoTokenGenerator</classname> implementation is provided
as unsupported contribution from the contrib package. This requires the
BouncyCastle libs <ulink url="http://www.bouncycastle.org/java.html"
- >"http://www.bouncycastle.org/java.html"</ulink>
+ >"http://www.bouncycastle.org/java.html"</ulink>. Found especially useful
+ when using Java 1.5 that is known to provide only a limited support for
+ <literal>SPNEGO</literal> authentication.
</para>
</section>
</section>