[jira] [Commented] (HTTPCLIENT-1545) Possible infinite loop when WindowsNegotiateScheme authentication fails

Sun, 12 Oct 2014 10:44:16 -0700 

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14168731#comment-14168731
 ] 

Ka-Lok Fung commented on HTTPCLIENT-1545:
-----------------------------------------

If you prefer to throw {{SEC_E_TARGET_UNKNOWN}} in the unit test that's fine. 
The error code choice is pretty arbitrary.

Even though that 1) it's true that that the SPN should be dynamically generated 
and 2) the code is currently tagged as experimental, I'm hesitant to break an 
interface that is already used by existing clients of HttpClient-win - I don't 
like breaking existing interfaces. I guess we could deprecate that API first.

When I talk about NTLM and SPNEGO support, I'm talking about server side 
support, not client side support. A backend server could support Kerberos 
through SPNEGO using [MIT Kerberos libraries|http://web.mit.edu/kerberos/]. Of 
course, HttpClient should support both connecting to servers that only support 
Kerberos, as well as that only support NTLM and those that support both.

> Possible infinite loop when WindowsNegotiateScheme authentication fails
> -----------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1545
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1545
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.4 Alpha1
>         Environment: Windows
>            Reporter: Ka-Lok Fung
>             Fix For: 4.4 Beta1
>
>         Attachments: HTTPCLIENT-1545.WinXP.diff, HTTPCLIENT-1545.patch.diff, 
> HTTPCLIENT-1545.v2.patch.diff
>
>
> When {{WindowsNegotiateScheme}} authentication fails, it's possible for 
> HttpClient to retry the authentication in an endless loop because the 
> {{continueNeeded}} flag is not set to {{false}} when authentication fails.
> One possible way of causing authentication to fail is to use a service 
> principle name that is outside your Windows domain (e.g., HTTP/EXAMPLE.COM).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to