You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Sebastiaan van Erk (JIRA)" <ji...@apache.org> on 2009/12/12 00:14:18 UTC
[jira] Created: (HTTPCLIENT-901) Add a ContextAwareAuthScheme that
has access to the HttpContext in the authenticate method
Add a ContextAwareAuthScheme that has access to the HttpContext in the authenticate method
------------------------------------------------------------------------------------------
Key: HTTPCLIENT-901
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-901
Project: HttpComponents HttpClient
Issue Type: Improvement
Components: HttpAuth
Affects Versions: 4.1 Alpha1
Reporter: Sebastiaan van Erk
Priority: Minor
The interface to be added would be:
/**
* This interface represents an extended authentication scheme
* that requires access to {@link HttpContext} in order to
* generate an authorization string.
*
* @since 4.1
*/
public interface ContextAwareAuthScheme extends AuthScheme {
/**
* Produces an authorization string for the given set of
* {@link Credentials}.
*
* @param credentials The set of credentials to be used for athentication
* @param request The request being authenticated
* @param context HTTP context
* @throws AuthenticationException if authorization string cannot
* be generated due to an authentication failure
*
* @return the authorization string
*/
Header authenticate(
Credentials credentials,
HttpRequest request,
HttpContext context) throws AuthenticationException;
}
Binary compatibility can be maintained by doing an instanceof check at the location where AuthScheme.authenticate() is called at the moment, and calling the context aware version if available.
This interface is necessary for the NegotiateScheme authentication scheme because the service names for the authentication tickets are based on the hostname of the target host or proxy host, depending on whether it's normal or proxy authentication, and this information is only available from the HttpContext.
Without the HttpContext there is a workaround that works most of the time, which looks like this:
String host;
if (isProxy()) {
// FIXME this should actually taken from the HttpContext.
HttpHost proxy = ConnRouteParams.getDefaultProxy(request.getParams());
host = proxy.getHostName();
} else {
host = request.getLastHeader("Host").getValue();
}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Updated: (HTTPCLIENT-901) Add a ContextAwareAuthScheme that
has access to the HttpContext in the authenticate method
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-901?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleg Kalnichevski updated HTTPCLIENT-901:
-----------------------------------------
Fix Version/s: 4.1 Alpha2
Sebastiaan,
Are you working on this issue, or shall I take over?
Oleg
> Add a ContextAwareAuthScheme that has access to the HttpContext in the authenticate method
> ------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-901
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-901
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpAuth
> Affects Versions: 4.1 Alpha1
> Reporter: Sebastiaan van Erk
> Fix For: 4.1 Alpha2
>
>
> The interface to be added would be:
> /**
> * This interface represents an extended authentication scheme
> * that requires access to {@link HttpContext} in order to
> * generate an authorization string.
> *
> * @since 4.1
> */
> public interface ContextAwareAuthScheme extends AuthScheme {
> /**
> * Produces an authorization string for the given set of
> * {@link Credentials}.
> *
> * @param credentials The set of credentials to be used for athentication
> * @param request The request being authenticated
> * @param context HTTP context
> * @throws AuthenticationException if authorization string cannot
> * be generated due to an authentication failure
> *
> * @return the authorization string
> */
> Header authenticate(
> Credentials credentials,
> HttpRequest request,
> HttpContext context) throws AuthenticationException;
> }
> Binary compatibility can be maintained by doing an instanceof check at the location where AuthScheme.authenticate() is called at the moment, and calling the context aware version if available.
> This interface is necessary for the NegotiateScheme authentication scheme because the service names for the authentication tickets are based on the hostname of the target host or proxy host, depending on whether it's normal or proxy authentication, and this information is only available from the HttpContext.
> Without the HttpContext there is a workaround that works most of the time, which looks like this:
> String host;
> if (isProxy()) {
> // FIXME this should actually taken from the HttpContext.
> HttpHost proxy = ConnRouteParams.getDefaultProxy(request.getParams());
> host = proxy.getHostName();
> } else {
> host = request.getLastHeader("Host").getValue();
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-901) Add a ContextAwareAuthScheme
that has access to the HttpContext in the authenticate method
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12837268#action_12837268 ]
Oleg Kalnichevski commented on HTTPCLIENT-901:
----------------------------------------------
Truth to be told I neither have time, nor competence, nor inclination to work on this issue. I just wanted to know whether you were still interested in working on SPNEGO improvements in principle.
I would prefer your changes submitted as a series of incremental small patches, which obviously will require some preparation on your part. No need to rush things. Take your time.
Oleg
> Add a ContextAwareAuthScheme that has access to the HttpContext in the authenticate method
> ------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-901
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-901
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpAuth
> Affects Versions: 4.1 Alpha1
> Reporter: Sebastiaan van Erk
> Fix For: 4.1 Alpha2
>
>
> The interface to be added would be:
> /**
> * This interface represents an extended authentication scheme
> * that requires access to {@link HttpContext} in order to
> * generate an authorization string.
> *
> * @since 4.1
> */
> public interface ContextAwareAuthScheme extends AuthScheme {
> /**
> * Produces an authorization string for the given set of
> * {@link Credentials}.
> *
> * @param credentials The set of credentials to be used for athentication
> * @param request The request being authenticated
> * @param context HTTP context
> * @throws AuthenticationException if authorization string cannot
> * be generated due to an authentication failure
> *
> * @return the authorization string
> */
> Header authenticate(
> Credentials credentials,
> HttpRequest request,
> HttpContext context) throws AuthenticationException;
> }
> Binary compatibility can be maintained by doing an instanceof check at the location where AuthScheme.authenticate() is called at the moment, and calling the context aware version if available.
> This interface is necessary for the NegotiateScheme authentication scheme because the service names for the authentication tickets are based on the hostname of the target host or proxy host, depending on whether it's normal or proxy authentication, and this information is only available from the HttpContext.
> Without the HttpContext there is a workaround that works most of the time, which looks like this:
> String host;
> if (isProxy()) {
> // FIXME this should actually taken from the HttpContext.
> HttpHost proxy = ConnRouteParams.getDefaultProxy(request.getParams());
> host = proxy.getHostName();
> } else {
> host = request.getLastHeader("Host").getValue();
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-901) Add a ContextAwareAuthScheme
that has access to the HttpContext in the authenticate method
Posted by "Sebastiaan van Erk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12837250#action_12837250 ]
Sebastiaan van Erk commented on HTTPCLIENT-901:
-----------------------------------------------
Yes, I'm definitely still working on this, but I've been short on time due to some deadlines recently.
I have all the code working for my specific use case, but to make it work for everybody there need to be some small fixes and polishing.
The problem is integrating the protocol into the auth scheme design in httpclient. The main issues are:
- the protocol should be connection based, but not all implementations on the server side are (apache being the main exception).
- the protocol uses negotiation that should be finished even when a non 401 or 407 response code is returned.
I'm really busy with a deadline the next 2-3 weeks, but after that I'm finishing the project which needs this Kerberos auth/proxy auth, and it will be put live at the customer location.
I don't know in what way you want to proceed. I can submit what I have, and you can do what you want with it, or else I can submit it in small patches (but I'll need time to put it into that form, so it'll have to wait until after the deadline). Another option is to reserve a day sometime soon in the weekend and get in touch (e.g. chat) and try to fix it on that day, because I think with direct feedback it'll work much faster.
Regards,
Sebastiaan
> Add a ContextAwareAuthScheme that has access to the HttpContext in the authenticate method
> ------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-901
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-901
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpAuth
> Affects Versions: 4.1 Alpha1
> Reporter: Sebastiaan van Erk
> Fix For: 4.1 Alpha2
>
>
> The interface to be added would be:
> /**
> * This interface represents an extended authentication scheme
> * that requires access to {@link HttpContext} in order to
> * generate an authorization string.
> *
> * @since 4.1
> */
> public interface ContextAwareAuthScheme extends AuthScheme {
> /**
> * Produces an authorization string for the given set of
> * {@link Credentials}.
> *
> * @param credentials The set of credentials to be used for athentication
> * @param request The request being authenticated
> * @param context HTTP context
> * @throws AuthenticationException if authorization string cannot
> * be generated due to an authentication failure
> *
> * @return the authorization string
> */
> Header authenticate(
> Credentials credentials,
> HttpRequest request,
> HttpContext context) throws AuthenticationException;
> }
> Binary compatibility can be maintained by doing an instanceof check at the location where AuthScheme.authenticate() is called at the moment, and calling the context aware version if available.
> This interface is necessary for the NegotiateScheme authentication scheme because the service names for the authentication tickets are based on the hostname of the target host or proxy host, depending on whether it's normal or proxy authentication, and this information is only available from the HttpContext.
> Without the HttpContext there is a workaround that works most of the time, which looks like this:
> String host;
> if (isProxy()) {
> // FIXME this should actually taken from the HttpContext.
> HttpHost proxy = ConnRouteParams.getDefaultProxy(request.getParams());
> host = proxy.getHostName();
> } else {
> host = request.getLastHeader("Host").getValue();
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Resolved: (HTTPCLIENT-901) Add a ContextAwareAuthScheme that
has access to the HttpContext in the authenticate method
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-901?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleg Kalnichevski resolved HTTPCLIENT-901.
------------------------------------------
Resolution: Fixed
Sebastiaan,
I had to go ahead and fix the problem with the proxy authentication exercising my best judgement based on your input. I guess we will have to live with SPNEGO in its present form for now. Hopefully you will manage to get around to submitting your improvements some time in the future.
Closing as FIXED.
Oleg
> Add a ContextAwareAuthScheme that has access to the HttpContext in the authenticate method
> ------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-901
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-901
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpAuth
> Affects Versions: 4.1 Alpha1
> Reporter: Sebastiaan van Erk
> Fix For: 4.1 Alpha2
>
>
> The interface to be added would be:
> /**
> * This interface represents an extended authentication scheme
> * that requires access to {@link HttpContext} in order to
> * generate an authorization string.
> *
> * @since 4.1
> */
> public interface ContextAwareAuthScheme extends AuthScheme {
> /**
> * Produces an authorization string for the given set of
> * {@link Credentials}.
> *
> * @param credentials The set of credentials to be used for athentication
> * @param request The request being authenticated
> * @param context HTTP context
> * @throws AuthenticationException if authorization string cannot
> * be generated due to an authentication failure
> *
> * @return the authorization string
> */
> Header authenticate(
> Credentials credentials,
> HttpRequest request,
> HttpContext context) throws AuthenticationException;
> }
> Binary compatibility can be maintained by doing an instanceof check at the location where AuthScheme.authenticate() is called at the moment, and calling the context aware version if available.
> This interface is necessary for the NegotiateScheme authentication scheme because the service names for the authentication tickets are based on the hostname of the target host or proxy host, depending on whether it's normal or proxy authentication, and this information is only available from the HttpContext.
> Without the HttpContext there is a workaround that works most of the time, which looks like this:
> String host;
> if (isProxy()) {
> // FIXME this should actually taken from the HttpContext.
> HttpHost proxy = ConnRouteParams.getDefaultProxy(request.getParams());
> host = proxy.getHostName();
> } else {
> host = request.getLastHeader("Host").getValue();
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Updated: (HTTPCLIENT-901) Add a ContextAwareAuthScheme that
has access to the HttpContext in the authenticate method
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-901?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleg Kalnichevski updated HTTPCLIENT-901:
-----------------------------------------
Priority: Major (was: Minor)
I added ContextAwareAuthScheme interface and tweaked RequestProxyAuthentication and RequestTargetAuthentication interceptors
http://svn.apache.org/viewvc?view=revision&revision=889860
It is all yours now.
Oleg
> Add a ContextAwareAuthScheme that has access to the HttpContext in the authenticate method
> ------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-901
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-901
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpAuth
> Affects Versions: 4.1 Alpha1
> Reporter: Sebastiaan van Erk
>
> The interface to be added would be:
> /**
> * This interface represents an extended authentication scheme
> * that requires access to {@link HttpContext} in order to
> * generate an authorization string.
> *
> * @since 4.1
> */
> public interface ContextAwareAuthScheme extends AuthScheme {
> /**
> * Produces an authorization string for the given set of
> * {@link Credentials}.
> *
> * @param credentials The set of credentials to be used for athentication
> * @param request The request being authenticated
> * @param context HTTP context
> * @throws AuthenticationException if authorization string cannot
> * be generated due to an authentication failure
> *
> * @return the authorization string
> */
> Header authenticate(
> Credentials credentials,
> HttpRequest request,
> HttpContext context) throws AuthenticationException;
> }
> Binary compatibility can be maintained by doing an instanceof check at the location where AuthScheme.authenticate() is called at the moment, and calling the context aware version if available.
> This interface is necessary for the NegotiateScheme authentication scheme because the service names for the authentication tickets are based on the hostname of the target host or proxy host, depending on whether it's normal or proxy authentication, and this information is only available from the HttpContext.
> Without the HttpContext there is a workaround that works most of the time, which looks like this:
> String host;
> if (isProxy()) {
> // FIXME this should actually taken from the HttpContext.
> HttpHost proxy = ConnRouteParams.getDefaultProxy(request.getParams());
> host = proxy.getHostName();
> } else {
> host = request.getLastHeader("Host").getValue();
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org