[
https://issues.apache.org/jira/browse/AXIS2C-1370?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Aaron Oneal updated AXIS2C-1370:
--------------------------------
Attachment: axis2_libcurl.c.diff
It turns out that libcurl passes headers from all auth negotiation requests
back which completely busts the current way of retrieiving headers like content
type, content length, and the status code. The correct way to grab these anyway
is using curl_easy_getopt. The patched axis2_libcurl.c file takes care of this.
With the applied patches, all of libcurl's auth schemes are now supported.
> Axis should support libcurl's other auth types (not just basic)
> ---------------------------------------------------------------
>
> Key: AXIS2C-1370
> URL: https://issues.apache.org/jira/browse/AXIS2C-1370
> Project: Axis2-C
> Issue Type: Improvement
> Components: transport/http
> Affects Versions: 1.6.0
> Reporter: Aaron Oneal
> Attachments: axis2_libcurl.c.diff, axis2c-1370.diff, options.c.diff
>
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> Looking over axis2_libcurl_set_auth_options() I see it only allows basic auth.
> if (auth_type &&
> 0 == axutil_strcmp(auth_type, AXIS2_HTTP_AUTH_TYPE_BASIC))
> {
> curl_easy_setopt(handler, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
> }
> else
> {
> /* Uses anonymous connection.*/
> }
> If new schemes can be enabled as easily as mapping Axis options to Libcurl,
> this would appear to be an easy fix. Other supported values to be mapped
> include:
> CURLAUTH_BASIC
> HTTP Basic authentication. This is the default choice, and the only method
> that is in wide-spread use and supported virtually everywhere. This is
> sending the user name and password over the network in plain text, easily
> captured by others.
> CURLAUTH_DIGEST
> HTTP Digest authentication. Digest authentication is defined in RFC2617 and
> is a more secure way to do authentication over public networks than the
> regular old-fashioned Basic method.
> CURLAUTH_GSSNEGOTIATE
> HTTP GSS-Negotiate authentication. The GSS-Negotiate (also known as plain
> "Negotiate") method was designed by Microsoft and is used in their web
> applications. It is primarily meant as a support for Kerberos5 authentication
> but may be also used along with another authentication methods. For more
> information see IETF draft draft-brezak-spnego-http-04.txt.
> You need to build libcurl with a suitable GSS-API library for this to work.
> CURLAUTH_NTLM
> HTTP NTLM authentication. A proprietary protocol invented and used by
> Microsoft. It uses a challenge-response and hash concept similar to Digest,
> to prevent the password from being eavesdropped.
> You need to build libcurl with OpenSSL support for this option to work, or
> build libcurl on Windows.
> CURLAUTH_ANY
> This is a convenience macro that sets all bits and thus makes libcurl pick
> any it finds suitable. libcurl will automatically select the one it finds
> most secure.
> CURLAUTH_ANYSAFE
> This is a convenience macro that sets all bits except Basic and thus makes
> libcurl pick any it finds suitable. libcurl will automatically select the one
> it finds most secure.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
