You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hc.apache.org by "Michael Osipov (Jira)" <ji...@apache.org> on 2020/02/09 20:22:00 UTC

[jira] [Comment Edited] (HTTPCLIENT-1625) Completely overhaul GSS-API-based authentication backend

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1625?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17033286#comment-17033286 ] 

Michael Osipov edited comment on HTTPCLIENT-1625 at 2/9/20 8:21 PM:
--------------------------------------------------------------------

[~mkuespert], it never completes the security loop thus completely ignores the response token from the server. The server cannot be trusted, potential MITM attack.

Unfortunately,  there is currently nothing I can recommend unless aI work myself on it.


was (Author: michael-o):
[~mkuespert], it never completes the security loop thus completely ignores the response token from the server. The server cannot be trusted, potential MITM attack.

> Completely overhaul GSS-API-based authentication backend
> --------------------------------------------------------
>
>                 Key: HTTPCLIENT-1625
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1625
>             Project: HttpComponents HttpClient
>          Issue Type: Task
>          Components: Documentation, HttpClient (classic)
>    Affects Versions: 4.5
>            Reporter: Michael Osipov
>            Assignee: Michael Osipov
>            Priority: Major
>              Labels: stuck, volunteers-wanted
>             Fix For: Stuck
>
>
> The current implementation does not reflect the way GSS-API-based authentication should be done. It has several design flaws.
> This is an umbrella task for:
> 1. Deprecate all old classes
> 2. Investigate how it has to be plugged into HttpClient
> 3. Reimplement from scratch
> 4. Thoroughly test all new stuff
> 5. Rewrite documentation
> Design notes are canonically available under: https://wiki.apache.org/HttpComponents/IssueTracking/HTTPCLIENT-1625



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org