You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Luis Gabriel Gomez <lu...@gmail.com> on 2022/12/07 20:34:26 UTC
Kerberos proxy auth in 5.x and post-deprecation handling
Hi
I'm trying to establish a connection via a Kerberos authenticated proxy; I
have a working code based on the 4.x client which works with minimal setup
using a noop Credential (use_jaas_creds), this way the client authenticates
via its ExtendedGSSManager and JAAS:
CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(new AuthScope(null, -1, null),
use_jaas_creds);
Registry<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder
.<AuthSchemeProvider>create()
.register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true))
.build();
I'm trying to perform the same in 5.x but facing some issues
final Credentials use_jaas_creds = new UseJaasCredentials();
credentialsProvider.setCredentials(new
AuthScope(null, null, -1, null, null), use_jaas_creds);
final Registry<AuthSchemeFactory> authSchemeRegistry =
RegistryBuilder.<AuthSchemeFactory>create()
.register(StandardAuthScheme.SPNEGO, kerberosSchemeFactory)
.build();
Setup is roughly the same, with the addition of the kerberosSchemeFactory
buildup which is omitted for brevity. Request goes to target host but
doesn't go through the proxy, so which else may I have missed? I'm
suspicious of the AuthScope needing the full proxy information now but I'm
unsure.
On another note, with the 5.3 deprecation of SPNEGO support, is there still
gonna be a way to plug in support for these authenticators on clients that
still need it once it's finally remove?
Thanks
Re: Kerberos proxy auth in 5.x and post-deprecation handling
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Wed, 2022-12-07 at 22:34 +0100, Michael Osipov wrote:
> Am 2022-12-07 um 21:34 schrieb Luis Gabriel Gomez:
> > Hi
> >
> > I'm trying to establish a connection via a Kerberos authenticated
> > proxy; I
> > have a working code based on the 4.x client which works with
> > minimal setup
> > using a noop Credential (use_jaas_creds), this way the client
> > authenticates
> > via its ExtendedGSSManager and JAAS:
> >
> > CredentialsProvider credsProvider = new
> > BasicCredentialsProvider();
> > credsProvider.setCredentials(new AuthScope(null, -1,
> > null),
> > use_jaas_creds);
> > Registry<AuthSchemeProvider> authSchemeRegistry =
> > RegistryBuilder
> > .<AuthSchemeProvider>create()
> > .register(AuthSchemes.SPNEGO, new
> > SPNegoSchemeFactory(true))
> > .build();
> >
> > I'm trying to perform the same in 5.x but facing some issues
> >
> > final Credentials use_jaas_creds = new
> > UseJaasCredentials();
> > credentialsProvider.setCredentials(new
> > AuthScope(null, null, -1, null, null),
> > use_jaas_creds);
> > final Registry<AuthSchemeFactory> authSchemeRegistry =
> > RegistryBuilder.<AuthSchemeFactory>create()
> > .register(StandardAuthScheme.SPNEGO,
> > kerberosSchemeFactory)
> > .build();
> >
> > Setup is roughly the same, with the addition of the
> > kerberosSchemeFactory
> > buildup which is omitted for brevity. Request goes to target host
> > but
> > doesn't go through the proxy, so which else may I have missed? I'm
> > suspicious of the AuthScope needing the full proxy information now
> > but I'm
> > unsure.
> >
> > On another note, with the 5.3 deprecation of SPNEGO support, is
> > there still
> > gonna be a way to plug in support for these authenticators on
> > clients that
> > still need it once it's finally remove?
>
> Luis,
>
> please read my message a couple of days ago regarding this topic.
>
> Doing the proper JGSS code yourself requires ~ 20 LoC. There is no
> magic.
>
Luis
One more thing. If you have a functional setup with HC 4, run with the
context / wire logging on, and compare the log with that produced with
HC 5. This should help you understand the differences in behavior
between the two versions.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Kerberos proxy auth in 5.x and post-deprecation handling
Posted by Michael Osipov <mi...@apache.org>.
Am 2022-12-07 um 21:34 schrieb Luis Gabriel Gomez:
> Hi
>
> I'm trying to establish a connection via a Kerberos authenticated proxy; I
> have a working code based on the 4.x client which works with minimal setup
> using a noop Credential (use_jaas_creds), this way the client authenticates
> via its ExtendedGSSManager and JAAS:
>
> CredentialsProvider credsProvider = new BasicCredentialsProvider();
> credsProvider.setCredentials(new AuthScope(null, -1, null),
> use_jaas_creds);
> Registry<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder
> .<AuthSchemeProvider>create()
> .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true))
> .build();
>
> I'm trying to perform the same in 5.x but facing some issues
>
> final Credentials use_jaas_creds = new UseJaasCredentials();
> credentialsProvider.setCredentials(new
> AuthScope(null, null, -1, null, null), use_jaas_creds);
> final Registry<AuthSchemeFactory> authSchemeRegistry =
> RegistryBuilder.<AuthSchemeFactory>create()
> .register(StandardAuthScheme.SPNEGO, kerberosSchemeFactory)
> .build();
>
> Setup is roughly the same, with the addition of the kerberosSchemeFactory
> buildup which is omitted for brevity. Request goes to target host but
> doesn't go through the proxy, so which else may I have missed? I'm
> suspicious of the AuthScope needing the full proxy information now but I'm
> unsure.
>
> On another note, with the 5.3 deprecation of SPNEGO support, is there still
> gonna be a way to plug in support for these authenticators on clients that
> still need it once it's finally remove?
Luis,
please read my message a couple of days ago regarding this topic.
Doing the proper JGSS code yourself requires ~ 20 LoC. There is no magic.
M
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org