You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Gregory Chanan (JIRA)" <ji...@apache.org> on 2014/10/29 07:26:34 UTC

[jira] [Commented] (HADOOP-10911) hadoop.auth cookie after HADOOP-10710 still not proper according to RFC2109

    [ https://issues.apache.org/jira/browse/HADOOP-10911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14188065#comment-14188065 ] 

Gregory Chanan commented on HADOOP-10911:
-----------------------------------------

[~cnauroth] do you have a test?  Ideally we'd have a format that worked for as many users as possible.

Also, can you check out HADOOP-11068?  I changed the format there to what's output by the latest jetty but it hasn't been committed.  Perhaps that works for you?

> hadoop.auth cookie after HADOOP-10710 still not proper according to RFC2109
> ---------------------------------------------------------------------------
>
>                 Key: HADOOP-10911
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10911
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.5.0
>            Reporter: Gregory Chanan
>             Fix For: 2.6.0
>
>         Attachments: HADOOP-10911-tests.patch, HADOOP-10911.patch, HADOOP-10911v2.patch, HADOOP-10911v3.patch, oozie-webconsole.stream
>
>
> I'm seeing the same problem reported in HADOOP-10710 (that is, httpclient is unable to authenticate with servers running the authentication filter), even with HADOOP-10710 applied.
> From my reading of the spec, the problem is as follows:
> Expires is not a valid directive according to the RFC, though it is mentioned for backwards compatibility with netscape draft spec.  When httpclient sees "Expires", it parses according to the netscape draft spec, but note from RFC2109:
> {code}
> Note that the Expires date format contains embedded spaces, and that "old" cookies did not have quotes around values. 
> {code}
> and note that AuthenticationFilter puts quotes around the value:
> https://github.com/apache/hadoop-common/blob/6b11bff94ebf7d99b3a9e513edd813cb82538400/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java#L437-L439
> So httpclient's parsing appears to be kosher.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)