You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Vipul Mehta <vi...@gmail.com> on 2014/09/03 11:10:24 UTC
Using GSSCredential directly for Kerberos authentication
Hi,
In my scenario i am getting delegated GSSCredential of a user from some
other client and i want to use it to create context and authenticate with
windows ADFS.
The createContext call in
*org.apache.http.impl.auth.GGSSchemeBase.generateGSSToken()* relies on JAAS
configuration for getting credentials and hence null is passed to it in
credential field.
protected byte[] generateGSSToken(
> final byte[] input, final Oid oid, final String authServer)
> throws GSSException {
> byte[] token = input;
> if (token == null) {
> token = new byte[0];
> }
> final GSSManager manager = getManager();
> final GSSName serverName = manager.createName("HTTP@" +
> authServer, GSSName.NT_HOSTBASED_SERVICE);
>
> * final GSSContext gssContext = manager.createContext(
> serverName.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME);*
> gssContext.requestMutualAuth(true);
> gssContext.requestCredDeleg(true);
> return gssContext.initSecContext(token, 0, token.length);
> }
>
I want to pass the GSSCredential in this createContext call. Is there any
way i can achieve it without changing httpclient code ?
--
Regards,
Vipul
Re: Using GSSCredential directly for Kerberos authentication
Posted by Vipul Mehta <vi...@gmail.com>.
Done : https://github.com/apache/httpclient/pull/17
On Fri, Sep 5, 2014 at 1:21 PM, Oleg Kalnichevski <ol...@apache.org> wrote:
> On Fri, 2014-09-05 at 00:39 +0530, Vipul Mehta wrote:
> > I have made changes in non-deprecated classes only. NegotiateScheme in
> > deprecated version required change because it overrides generateToken()
> > method of GGSScheme and signature of generateToken() has been changed in
> my
> > patch.
> >
> > All maven tests are passing in my workspace.
> >
> > The exception i mentioned was occurring while i was running my sample
> code
> > and it was because i was using old version of httpcore. Now it is also
> > working fine.
> >
>
> Please create a pull request at GitHub for changes you want merged into
> HttpClient.
>
> Oleg
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
--
Regards,
Vipul
Re: Using GSSCredential directly for Kerberos authentication
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Fri, 2014-09-05 at 00:39 +0530, Vipul Mehta wrote:
> I have made changes in non-deprecated classes only. NegotiateScheme in
> deprecated version required change because it overrides generateToken()
> method of GGSScheme and signature of generateToken() has been changed in my
> patch.
>
> All maven tests are passing in my workspace.
>
> The exception i mentioned was occurring while i was running my sample code
> and it was because i was using old version of httpcore. Now it is also
> working fine.
>
Please create a pull request at GitHub for changes you want merged into
HttpClient.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Using GSSCredential directly for Kerberos authentication
Posted by Vipul Mehta <vi...@gmail.com>.
I have made changes in non-deprecated classes only. NegotiateScheme in
deprecated version required change because it overrides generateToken()
method of GGSScheme and signature of generateToken() has been changed in my
patch.
All maven tests are passing in my workspace.
The exception i mentioned was occurring while i was running my sample code
and it was because i was using old version of httpcore. Now it is also
working fine.
On Thu, Sep 4, 2014 at 7:41 PM, Oleg Kalnichevski <ol...@apache.org> wrote:
> On Thu, 2014-09-04 at 19:23 +0530, Vipul Mehta wrote:
> > Here is my patch merged in a forked trunk branch :
> >
> https://github.com/xeronix/httpclient/commit/8f88ec4c58a3d0a72e25af43809698aaf1ccf193
> >
> > I have tested the patch over 4.3.5 source code and it works fine.
> >
>
> NegotiateScheme class has been deprecated since 4.2. Could you please
> re-apply your changes to non-deprecated classes instead?
>
> Please also note we will not be able to include this patch into 4.3.x
> branch. It can only go into trunk and therefore it should compile
> against trunk and all tests should still pass.
>
> Oleg
>
>
> > With jar build from Trunk branch i am getting some exception which is not
> > related to the patch:
> > Exception in thread "main" java.lang.NoSuchMethodError:
> > org.apache.http.impl.conn.CPool.setValidateAfterInactivity(I)V
> > at
> >
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.<init>(PoolingHttpClientConnectionManager.java:176)
> > at
> >
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.<init>(PoolingHttpClientConnectionManager.java:158)
> > at
> >
> org.apache.http.impl.client.HttpClientBuilder.build(HttpClientBuilder.java:838)
> >
> > Snippet to set GSSCredential for SPNEGO-KERBEROS Authentication :
> > //gssCredential is the GSSCredential Object
> > KerberosCredentials kerebrosCredential = new
> > KerberosCredentials(gssCredential);
> >
> > CredentialsProvider credsProvider = new BasicCredentialsProvider();
> > credsProvider.setCredentials(new AuthScope(null, -1, null),
> > kerebrosCredential);
> >
> > Registry<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder
> > .<AuthSchemeProvider> create().register(AuthSchemes.SPNEGO,
> > new SPNegoSchemeFactory()).build();
> >
> > //Use this authSchemeRegistry for HttpClient.
> >
> >
> >
> > On Wed, Sep 3, 2014 at 9:06 PM, Oleg Kalnichevski <ol...@apache.org>
> wrote:
> >
> > > On Wed, 2014-09-03 at 14:40 +0530, Vipul Mehta wrote:
> > > > Hi,
> > > >
> > > > In my scenario i am getting delegated GSSCredential of a user from
> some
> > > > other client and i want to use it to create context and authenticate
> with
> > > > windows ADFS.
> > > >
> > > > The createContext call in
> > > > *org.apache.http.impl.auth.GGSSchemeBase.generateGSSToken()* relies
> on
> > > JAAS
> > > > configuration for getting credentials and hence null is passed to it
> in
> > > > credential field.
> > > >
> > > > protected byte[] generateGSSToken(
> > > > > final byte[] input, final Oid oid, final String
> authServer)
> > > > > throws GSSException {
> > > > > byte[] token = input;
> > > > > if (token == null) {
> > > > > token = new byte[0];
> > > > > }
> > > > > final GSSManager manager = getManager();
> > > > > final GSSName serverName = manager.createName("HTTP@" +
> > > > > authServer, GSSName.NT_HOSTBASED_SERVICE);
> > > > >
> > > > > * final GSSContext gssContext = manager.createContext(
> > > > > serverName.canonicalize(oid), oid, null,
> GSSContext.DEFAULT_LIFETIME);*
> > > > > gssContext.requestMutualAuth(true);
> > > > > gssContext.requestCredDeleg(true);
> > > > > return gssContext.initSecContext(token, 0, token.length);
> > > > > }
> > > > >
> > > >
> > > > I want to pass the GSSCredential in this createContext call. Is
> there any
> > > > way i can achieve it without changing httpclient code ?
> > > >
> > > >
> > >
> > > No, there is not. However, I'll happily commit a patch fixing the
> > > problem if you feel like contributing one.
> > >
> > > Oleg
> > >
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> > >
> > >
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
--
Regards,
Vipul
Re: Using GSSCredential directly for Kerberos authentication
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Thu, 2014-09-04 at 19:23 +0530, Vipul Mehta wrote:
> Here is my patch merged in a forked trunk branch :
> https://github.com/xeronix/httpclient/commit/8f88ec4c58a3d0a72e25af43809698aaf1ccf193
>
> I have tested the patch over 4.3.5 source code and it works fine.
>
NegotiateScheme class has been deprecated since 4.2. Could you please
re-apply your changes to non-deprecated classes instead?
Please also note we will not be able to include this patch into 4.3.x
branch. It can only go into trunk and therefore it should compile
against trunk and all tests should still pass.
Oleg
> With jar build from Trunk branch i am getting some exception which is not
> related to the patch:
> Exception in thread "main" java.lang.NoSuchMethodError:
> org.apache.http.impl.conn.CPool.setValidateAfterInactivity(I)V
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.<init>(PoolingHttpClientConnectionManager.java:176)
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.<init>(PoolingHttpClientConnectionManager.java:158)
> at
> org.apache.http.impl.client.HttpClientBuilder.build(HttpClientBuilder.java:838)
>
> Snippet to set GSSCredential for SPNEGO-KERBEROS Authentication :
> //gssCredential is the GSSCredential Object
> KerberosCredentials kerebrosCredential = new
> KerberosCredentials(gssCredential);
>
> CredentialsProvider credsProvider = new BasicCredentialsProvider();
> credsProvider.setCredentials(new AuthScope(null, -1, null),
> kerebrosCredential);
>
> Registry<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder
> .<AuthSchemeProvider> create().register(AuthSchemes.SPNEGO,
> new SPNegoSchemeFactory()).build();
>
> //Use this authSchemeRegistry for HttpClient.
>
>
>
> On Wed, Sep 3, 2014 at 9:06 PM, Oleg Kalnichevski <ol...@apache.org> wrote:
>
> > On Wed, 2014-09-03 at 14:40 +0530, Vipul Mehta wrote:
> > > Hi,
> > >
> > > In my scenario i am getting delegated GSSCredential of a user from some
> > > other client and i want to use it to create context and authenticate with
> > > windows ADFS.
> > >
> > > The createContext call in
> > > *org.apache.http.impl.auth.GGSSchemeBase.generateGSSToken()* relies on
> > JAAS
> > > configuration for getting credentials and hence null is passed to it in
> > > credential field.
> > >
> > > protected byte[] generateGSSToken(
> > > > final byte[] input, final Oid oid, final String authServer)
> > > > throws GSSException {
> > > > byte[] token = input;
> > > > if (token == null) {
> > > > token = new byte[0];
> > > > }
> > > > final GSSManager manager = getManager();
> > > > final GSSName serverName = manager.createName("HTTP@" +
> > > > authServer, GSSName.NT_HOSTBASED_SERVICE);
> > > >
> > > > * final GSSContext gssContext = manager.createContext(
> > > > serverName.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME);*
> > > > gssContext.requestMutualAuth(true);
> > > > gssContext.requestCredDeleg(true);
> > > > return gssContext.initSecContext(token, 0, token.length);
> > > > }
> > > >
> > >
> > > I want to pass the GSSCredential in this createContext call. Is there any
> > > way i can achieve it without changing httpclient code ?
> > >
> > >
> >
> > No, there is not. However, I'll happily commit a patch fixing the
> > problem if you feel like contributing one.
> >
> > Oleg
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
> >
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Using GSSCredential directly for Kerberos authentication
Posted by Vipul Mehta <vi...@gmail.com>.
Here is my patch merged in a forked trunk branch :
https://github.com/xeronix/httpclient/commit/8f88ec4c58a3d0a72e25af43809698aaf1ccf193
I have tested the patch over 4.3.5 source code and it works fine.
With jar build from Trunk branch i am getting some exception which is not
related to the patch:
Exception in thread "main" java.lang.NoSuchMethodError:
org.apache.http.impl.conn.CPool.setValidateAfterInactivity(I)V
at
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.<init>(PoolingHttpClientConnectionManager.java:176)
at
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.<init>(PoolingHttpClientConnectionManager.java:158)
at
org.apache.http.impl.client.HttpClientBuilder.build(HttpClientBuilder.java:838)
Snippet to set GSSCredential for SPNEGO-KERBEROS Authentication :
//gssCredential is the GSSCredential Object
KerberosCredentials kerebrosCredential = new
KerberosCredentials(gssCredential);
CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(new AuthScope(null, -1, null),
kerebrosCredential);
Registry<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder
.<AuthSchemeProvider> create().register(AuthSchemes.SPNEGO,
new SPNegoSchemeFactory()).build();
//Use this authSchemeRegistry for HttpClient.
On Wed, Sep 3, 2014 at 9:06 PM, Oleg Kalnichevski <ol...@apache.org> wrote:
> On Wed, 2014-09-03 at 14:40 +0530, Vipul Mehta wrote:
> > Hi,
> >
> > In my scenario i am getting delegated GSSCredential of a user from some
> > other client and i want to use it to create context and authenticate with
> > windows ADFS.
> >
> > The createContext call in
> > *org.apache.http.impl.auth.GGSSchemeBase.generateGSSToken()* relies on
> JAAS
> > configuration for getting credentials and hence null is passed to it in
> > credential field.
> >
> > protected byte[] generateGSSToken(
> > > final byte[] input, final Oid oid, final String authServer)
> > > throws GSSException {
> > > byte[] token = input;
> > > if (token == null) {
> > > token = new byte[0];
> > > }
> > > final GSSManager manager = getManager();
> > > final GSSName serverName = manager.createName("HTTP@" +
> > > authServer, GSSName.NT_HOSTBASED_SERVICE);
> > >
> > > * final GSSContext gssContext = manager.createContext(
> > > serverName.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME);*
> > > gssContext.requestMutualAuth(true);
> > > gssContext.requestCredDeleg(true);
> > > return gssContext.initSecContext(token, 0, token.length);
> > > }
> > >
> >
> > I want to pass the GSSCredential in this createContext call. Is there any
> > way i can achieve it without changing httpclient code ?
> >
> >
>
> No, there is not. However, I'll happily commit a patch fixing the
> problem if you feel like contributing one.
>
> Oleg
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
--
Regards,
Vipul
Re: Using GSSCredential directly for Kerberos authentication
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Wed, 2014-09-03 at 14:40 +0530, Vipul Mehta wrote:
> Hi,
>
> In my scenario i am getting delegated GSSCredential of a user from some
> other client and i want to use it to create context and authenticate with
> windows ADFS.
>
> The createContext call in
> *org.apache.http.impl.auth.GGSSchemeBase.generateGSSToken()* relies on JAAS
> configuration for getting credentials and hence null is passed to it in
> credential field.
>
> protected byte[] generateGSSToken(
> > final byte[] input, final Oid oid, final String authServer)
> > throws GSSException {
> > byte[] token = input;
> > if (token == null) {
> > token = new byte[0];
> > }
> > final GSSManager manager = getManager();
> > final GSSName serverName = manager.createName("HTTP@" +
> > authServer, GSSName.NT_HOSTBASED_SERVICE);
> >
> > * final GSSContext gssContext = manager.createContext(
> > serverName.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME);*
> > gssContext.requestMutualAuth(true);
> > gssContext.requestCredDeleg(true);
> > return gssContext.initSecContext(token, 0, token.length);
> > }
> >
>
> I want to pass the GSSCredential in this createContext call. Is there any
> way i can achieve it without changing httpclient code ?
>
>
No, there is not. However, I'll happily commit a patch fixing the
problem if you feel like contributing one.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org