You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hc.apache.org by ol...@apache.org on 2014/08/18 09:38:45 UTC
svn commit: r1618551 - in /httpcomponents/httpclient/trunk/httpclient-win:
./ src/main/java/org/apache/http/impl/auth/win/ src/test/ src/test/java/
src/test/java/org/ src/test/java/org/apache/ src/test/java/org/apache/http/
src/test/java/org/apache/htt...
Author: olegk
Date: Mon Aug 18 07:38:44 2014
New Revision: 1618551
URL: http://svn.apache.org/r1618551
Log:
HTTPCLIENT-1545: Possible infinite loop when WindowsNegotiateScheme authentication fails
Contributed by Ka-Lok Fung <ka-lok.fung at sap.com>
Added:
httpcomponents/httpclient/trunk/httpclient-win/src/test/
httpcomponents/httpclient/trunk/httpclient-win/src/test/java/
httpcomponents/httpclient/trunk/httpclient-win/src/test/java/org/
httpcomponents/httpclient/trunk/httpclient-win/src/test/java/org/apache/
httpcomponents/httpclient/trunk/httpclient-win/src/test/java/org/apache/http/
httpcomponents/httpclient/trunk/httpclient-win/src/test/java/org/apache/http/impl/
httpcomponents/httpclient/trunk/httpclient-win/src/test/java/org/apache/http/impl/auth/
httpcomponents/httpclient/trunk/httpclient-win/src/test/java/org/apache/http/impl/auth/win/
httpcomponents/httpclient/trunk/httpclient-win/src/test/java/org/apache/http/impl/auth/win/TestWindowsNegotiateScheme.java (with props)
Modified:
httpcomponents/httpclient/trunk/httpclient-win/pom.xml
httpcomponents/httpclient/trunk/httpclient-win/src/main/java/org/apache/http/impl/auth/win/WindowsNegotiateScheme.java
Modified: httpcomponents/httpclient/trunk/httpclient-win/pom.xml
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/trunk/httpclient-win/pom.xml?rev=1618551&r1=1618550&r2=1618551&view=diff
==============================================================================
--- httpcomponents/httpclient/trunk/httpclient-win/pom.xml (original)
+++ httpcomponents/httpclient/trunk/httpclient-win/pom.xml Mon Aug 18 07:38:44 2014
@@ -46,6 +46,13 @@
<scope>compile</scope>
</dependency>
<dependency>
+ <groupId>org.apache.httpcomponents</groupId>
+ <artifactId>httpclient</artifactId>
+ <version>${project.version}</version>
+ <scope>test</scope>
+ <classifier>tests</classifier>
+ </dependency>
+ <dependency>
<groupId>net.java.dev.jna</groupId>
<artifactId>jna</artifactId>
<scope>compile</scope>
Modified: httpcomponents/httpclient/trunk/httpclient-win/src/main/java/org/apache/http/impl/auth/win/WindowsNegotiateScheme.java
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/trunk/httpclient-win/src/main/java/org/apache/http/impl/auth/win/WindowsNegotiateScheme.java?rev=1618551&r1=1618550&r2=1618551&view=diff
==============================================================================
--- httpcomponents/httpclient/trunk/httpclient-win/src/main/java/org/apache/http/impl/auth/win/WindowsNegotiateScheme.java (original)
+++ httpcomponents/httpclient/trunk/httpclient-win/src/main/java/org/apache/http/impl/auth/win/WindowsNegotiateScheme.java Mon Aug 18 07:38:44 2014
@@ -127,7 +127,6 @@ public class WindowsNegotiateScheme exte
return true;
}
-
@Override
protected void parseChallenge(
final CharArrayBuffer buffer,
@@ -177,11 +176,11 @@ public class WindowsNegotiateScheme exte
response = getToken(null, null,
this.servicePrincipalName != null ? this.servicePrincipalName : username);
} catch (Throwable t) {
- dispose();
+ failAuthCleanup();
throw new AuthenticationException("Authentication Failed", t);
}
} else if (this.challenge == null || this.challenge.isEmpty()) {
- dispose();
+ failAuthCleanup();
throw new AuthenticationException("Authentication Failed");
} else {
try {
@@ -191,7 +190,7 @@ public class WindowsNegotiateScheme exte
response = getToken(this.sppicontext, continueTokenBuffer,
this.servicePrincipalName != null ? this.servicePrincipalName : "localhost");
} catch (Throwable t) {
- dispose();
+ failAuthCleanup();
throw new AuthenticationException("Authentication Failed", t);
}
}
@@ -209,6 +208,11 @@ public class WindowsNegotiateScheme exte
return new BufferedHeader(buffer);
}
+ private void failAuthCleanup() {
+ dispose();
+ this.continueNeeded = false;
+ }
+
// See http://msdn.microsoft.com/en-us/library/windows/desktop/aa375506(v=vs.85).aspx
private String getToken(
final CtxtHandle continueCtx,
@@ -252,5 +256,3 @@ public class WindowsNegotiateScheme exte
}
}
-
-
Added: httpcomponents/httpclient/trunk/httpclient-win/src/test/java/org/apache/http/impl/auth/win/TestWindowsNegotiateScheme.java
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/trunk/httpclient-win/src/test/java/org/apache/http/impl/auth/win/TestWindowsNegotiateScheme.java?rev=1618551&view=auto
==============================================================================
--- httpcomponents/httpclient/trunk/httpclient-win/src/test/java/org/apache/http/impl/auth/win/TestWindowsNegotiateScheme.java (added)
+++ httpcomponents/httpclient/trunk/httpclient-win/src/test/java/org/apache/http/impl/auth/win/TestWindowsNegotiateScheme.java Mon Aug 18 07:38:44 2014
@@ -0,0 +1,116 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation. For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+package org.apache.http.impl.auth.win;
+
+import java.io.IOException;
+
+import org.apache.http.HttpException;
+import org.apache.http.HttpHost;
+import org.apache.http.HttpRequest;
+import org.apache.http.HttpResponse;
+import org.apache.http.HttpStatus;
+import org.apache.http.auth.AUTH;
+import org.apache.http.auth.AuthSchemeProvider;
+import org.apache.http.client.CredentialsProvider;
+import org.apache.http.client.config.AuthSchemes;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.config.Registry;
+import org.apache.http.config.RegistryBuilder;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.impl.client.SystemDefaultCredentialsProvider;
+import org.apache.http.impl.client.WinHttpClients;
+import org.apache.http.localserver.LocalServerTestBase;
+import org.apache.http.protocol.HttpContext;
+import org.apache.http.protocol.HttpRequestHandler;
+import org.apache.http.util.EntityUtils;
+import org.junit.After;
+import org.junit.Assume;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * Unit tests for Windows negotiate authentication.
+ */
+public class TestWindowsNegotiateScheme extends LocalServerTestBase {
+
+ @Before @Override
+ public void setUp() throws Exception {
+ super.setUp();
+ this.serverBootstrap.registerHandler("/", new HttpRequestHandler() {
+
+ @Override
+ public void handle(
+ final HttpRequest request,
+ final HttpResponse response,
+ final HttpContext context) throws HttpException, IOException {
+ response.addHeader(AUTH.WWW_AUTH, AuthSchemes.SPNEGO);
+ response.setStatusCode(HttpStatus.SC_UNAUTHORIZED);
+ }
+
+ });
+ }
+
+ @After @Override
+ public void shutDown() throws Exception {
+ super.shutDown();
+ }
+
+ @Test(timeout=30000) // this timeout (in ms) needs to be extended if you're actively debugging the code
+ public void testNoInfiniteLoopOnSPNOutsideDomain() throws Exception {
+ Assume.assumeTrue("Test can only be run on Windows", WinHttpClients.isWinAuthAvailable());
+
+ // HTTPCLIENT-1545
+ // If a service principle name (SPN) from outside your Windows domain tree (e.g., HTTP/EXAMPLE.COM) is used,
+ // InitializeSecurityContext will return SEC_E_DOWNGRADE_DETECTED (decimal: -2146892976, hex: 0x80090350).
+ // Because WindowsNegotiateScheme wasn't setting the completed state correctly when authentication fails,
+ // HttpClient goes into an infinite loop, constantly retrying the negotiate authentication to kingdom
+ // come. This error message, "The system detected a possible attempt to compromise security. Please ensure that
+ // you can contact the server that authenticated you." is associated with SEC_E_DOWNGRADE_DETECTED.
+
+ final Registry<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder.<AuthSchemeProvider>create()
+ .register(AuthSchemes.SPNEGO, new WindowsNegotiateSchemeFactory("HTTP/EXAMPLE.COM"))
+ .build();
+ final CredentialsProvider credsProvider = new WindowsCredentialsProvider(new SystemDefaultCredentialsProvider());
+ final CloseableHttpClient customClient = HttpClientBuilder.create()
+ .setDefaultCredentialsProvider(credsProvider)
+ .setDefaultAuthSchemeRegistry(authSchemeRegistry).build();
+
+ final HttpHost target = start();
+ final HttpGet httpGet = new HttpGet("/");
+ final CloseableHttpResponse response = customClient.execute(target, httpGet);
+ try {
+ EntityUtils.consume(response.getEntity());
+ } finally {
+ response.close();
+ }
+ }
+
+}
+
+
Propchange: httpcomponents/httpclient/trunk/httpclient-win/src/test/java/org/apache/http/impl/auth/win/TestWindowsNegotiateScheme.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: httpcomponents/httpclient/trunk/httpclient-win/src/test/java/org/apache/http/impl/auth/win/TestWindowsNegotiateScheme.java
------------------------------------------------------------------------------
svn:keywords = Date Revision
Propchange: httpcomponents/httpclient/trunk/httpclient-win/src/test/java/org/apache/http/impl/auth/win/TestWindowsNegotiateScheme.java
------------------------------------------------------------------------------
svn:mime-type = text/plain