You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Michael Osipov (Jira)" <ji...@apache.org> on 2020/02/09 20:22:00 UTC
[jira] [Comment Edited] (HTTPCLIENT-1625) Completely overhaul
GSS-API-based authentication backend
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1625?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17033286#comment-17033286 ]
Michael Osipov edited comment on HTTPCLIENT-1625 at 2/9/20 8:21 PM:
--------------------------------------------------------------------
[~mkuespert], it never completes the security loop thus completely ignores the response token from the server. The server cannot be trusted, potential MITM attack.
Unfortunately, there is currently nothing I can recommend unless aI work myself on it.
was (Author: michael-o):
[~mkuespert], it never completes the security loop thus completely ignores the response token from the server. The server cannot be trusted, potential MITM attack.
> Completely overhaul GSS-API-based authentication backend
> --------------------------------------------------------
>
> Key: HTTPCLIENT-1625
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1625
> Project: HttpComponents HttpClient
> Issue Type: Task
> Components: Documentation, HttpClient (classic)
> Affects Versions: 4.5
> Reporter: Michael Osipov
> Assignee: Michael Osipov
> Priority: Major
> Labels: stuck, volunteers-wanted
> Fix For: Stuck
>
>
> The current implementation does not reflect the way GSS-API-based authentication should be done. It has several design flaws.
> This is an umbrella task for:
> 1. Deprecate all old classes
> 2. Investigate how it has to be plugged into HttpClient
> 3. Reimplement from scratch
> 4. Thoroughly test all new stuff
> 5. Rewrite documentation
> Design notes are canonically available under: https://wiki.apache.org/HttpComponents/IssueTracking/HTTPCLIENT-1625
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org