Karl Wright wrote:
Please see the response from Oleg Kalnichevski on the HttpClient team,
pertaining to my submitted NTLM patch.
Reading between the lines, it's apparently the policy of Apache Legal to
avoid any involvement that may *potentially* run afoul of commercial
IP. They don't have to actually have reason to believe that Apache code
would infringe; the mere potential is enough.
If that is indeed the legal policy, we'll have to find some way to
address this problem in LCF. By my estimate, that would mean we could
deliver only the file system connector completely free of all such
restrictions. We may be able to release a watered-down RSS and Web
connector as well, but basically we'd need to find a way to make
available a real NTLM implementation to people - and by definition, that
can't be through Apache.
I'm going to talk this issue over with people here - maybe we can set up
an open-source project here whose sole purpose is to add NTLM support to
HttpClient.
Karl
The recommendation from people here is to perhaps do an HttpClient 4.x addon, also Apache licensed, hosted by Google Code. We'd
want to set it up, of course, so that mere addition of the addon jar out of that project will enable NTLM support in HttpClient.
Otherwise, everything should still build and work - except if NTLM is in use, where some error would be returned instead.
Alternatively, if nobody likes the google code idea, does lucidimagination want to get involved? Or can anybody see another
solution?
Karl
------------------------------------------------------------------------
Subject:
[jira] Commented: (HTTPCLIENT-917) When authentication is invalidated
during redirection, proxy authentication also should be invalidated
From:
"Oleg Kalnichevski (JIRA)" <j...@apache.org>
Date:
Wed, 24 Feb 2010 12:28:27 +0000 (UTC)
To:
kwri...@metacarta.com
To:
kwri...@metacarta.com
[ https://issues.apache.org/jira/browse/HTTPCLIENT-917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12837757#action_12837757 ]
Oleg Kalnichevski commented on HTTPCLIENT-917:
----------------------------------------------
I am not a patent lawyer, so whatever I have to say on the matter has no
bearing of what so ever. The only group of people that can make definitive
statements on the matter is the ASF legal committee. If they decide it is okay
to use algorithms in the ASF code that may _potentially_ be covered by patents
held by Microsoft, the matter would be settled. However, given the fact they
have been unable to make up their mind about the use of LGPL code in ASF code
for years, I would not be holding my breath.
Welcome to the wonderful world of ASF bureaucracy.
Until this matter is decided upon by the ASF legal people I _personally_ will not touch Microsoft specific code with a barge pole. If MetaCarta, Inc have enough lawyers sitting around, good for you. I am just a regular guy writing code at his spare time. A mere potential threat of a lawsuit is enough for me.
I am aware of multiple open-source implementations of the NTLM protocol.
However this is not a copyright matter, but that of intellectual property
rights. This is about a liability for the use of Microsoft IP in commercial
products, not for writing open-source code. The existence of open-source
implementations does not prove or disprove anything.
When authentication is invalidated during redirection, proxy authentication
also should be invalidated
------------------------------------------------------------------------------------------------------
Key: HTTPCLIENT-917
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-917
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient
Affects Versions: 3.1 Final
Reporter: Karl Wright
Attachments: proxy-auth-invalidate.patch
This was discovered during use by Lucene Connector Framework, on 3.1.
When a document is fetched through a proxy authenticated with NTLM, and
that document is a redirection (301 or 302), the httpclient fails to
properly use the right proxy credentials on the subsequent document
fetch. This leads to 407 errors on these kinds of documents.
I've attached a proposed patch.