You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Michel Jung (JIRA)" <ji...@apache.org> on 2019/02/27 16:40:00 UTC
[jira] [Created] (HTTPCLIENT-1972) Kerberos/SPNego Negotiate not
working correctly?
Michel Jung created HTTPCLIENT-1972:
---------------------------------------
Summary: Kerberos/SPNego Negotiate not working correctly?
Key: HTTPCLIENT-1972
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1972
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient (classic)
Affects Versions: 4.5.7
Environment: Windows 10, JDK 8 u191
Reporter: Michel Jung
I don't understand much of Kerberos/SPNego and how it's implemented, but something seem to be off.
It's about this method from {{org.apache.http.impl.auth.GGSSchemeBase}}:
{code:java}
@Override
protected void parseChallenge(
final CharArrayBuffer buffer,
final int beginIndex, final int endIndex) throws MalformedChallengeException {
final String challenge = buffer.substringTrimmed(beginIndex, endIndex);
if (log.isDebugEnabled()) {
log.debug("Received challenge '" + challenge + "' from the auth server");
}
if (state == State.UNINITIATED) {
token = Base64.decodeBase64(challenge.getBytes());
state = State.CHALLENGE_RECEIVED;
} else {
log.debug("Authentication already attempted");
state = State.FAILED;
}
}{code}
In my case, it's first called for "Negotiate" (without a value) so that {{challenge}} is an empty string, resulting in an empty token.
After that, the method is called a second time for "Negotiate <someBase64String>" but since the state is no longer {{UNINITIATED}} , the authentication fails.
Comparing this to the implementation of {{org.apache.http.impl.auth.win.WindowsNegotiateScheme}}:
{code:java}
@Override
protected void parseChallenge(
final CharArrayBuffer buffer,
final int beginIndex,
final int endIndex) throws MalformedChallengeException {
this.challenge = buffer.substringTrimmed(beginIndex, endIndex);
if (this.challenge.isEmpty()) {
if (clientCred != null) {
dispose(); // run cleanup first before throwing an exception otherwise can leak OS resources
if (continueNeeded) {
throw new RuntimeException("Unexpected token");
}
}
}
}{code}
Here, there case described above is handled correctly; an empty challenge isn't processed.
Unfortunately, I can't use {{WindowsNegotiateScheme}} as I need to use a keytab file and specify my own user, and I prefer a platform-independent solution anyways.
Is the first implementation buggy or am I doing something wrong? Is there a way to work around this?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org