On Mon, 2015-04-06 at 22:15 +0200, Michael Osipov wrote:
> Am 2015-04-06 um 18:12 schrieb Oleg Kalnichevski:
> > On Mon, 2015-04-06 at 16:26 +0200, Michael Osipov wrote:
> >> Hi folks,
> >>
> >> I have finally started coding of that issue. While I was able to write a
> >> working prototype within an hour authenticating against Apache Tomcat
> >> and Apache Web Server, an issue arose I am not really clear about:
> >>
> >> Is a credentials provider always necessary for a target host?
> >
> > Yes, it is.
>
> Thanks, that did the trick!
>
> >> In other
> >> words, do I always need something like this:
> >> CredentialsProvider p = new BasicCredentialsProvider();
> >> p.setCredentials(AuthScope.ANY, new
> >> UsernamePasswordCredentials("mumu:mumu"));
> >> builder.setDefaultCredentialsProvider(p);
> >>
> >> Although the credential is by default obtained at runtime?
> >> I have noticed that authentication is not executed if no cred provider
> >> is set and the logs are not very chatty about that.
> >>
> >
> > This whole concept of the auth APIs goes back to the days of HC 2.0 and
> > it remained virtually unchanged in HC 3.x and HC 4.x. The auth APIs were
> > primarily designed to work well with standard auth schemes like BASIC
> > and DIGEST and similar password based auth schemes. Things like Kerberos
> > and native Windows auth were not properly factored it at that point of
> > time. We can think of a better abstraction for HC 5, but for now we will
> > have to live with what we have.
>
> I'll keep that in mind.
>
> While I have gained some progress now, the client is not behaving the
> way I expect it. The AuthScheme impl is called, sends the first token
> which is accepted by the server and the response token is sent. That is,
> unfortunately, completely ignored. The HttpAuthenticator says
> "Authentication succeeded" and ignores #isConnetionBased and
> #isCompleted. Here is a wire log:
>
> Requesting: http://server.company.net:8080/manager/html
> [main] DEBUG org.apache.http.client.protocol.RequestAddCookies -
> CookieSpec selected: default
> [main] DEBUG org.apache.http.client.protocol.RequestAuthCache - Auth
> cache not set in the context
> [main] DEBUG
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager -
> Connection request: [route: {}->http://server.company.net:8080][total
> kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
> [main] DEBUG
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager -
> Connection leased: [id: 0][route:
> {}->http://server.company.net:8080][total kept alive: 0; route
> allocated: 1 of 2; total allocated: 1 of 20]
> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Opening
> connection {}->http://server.company.net:8080
> [main] DEBUG
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator -
> Connecting to server.company.net/1.2.3.4:8080
> [main] DEBUG
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator -
> Connection established 2.3.4.5:44647<->1.2.3.4:8080
> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing
> request GET /manager/html HTTP/1.1
> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth
> state: UNCHALLENGED
> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth
> state: UNCHALLENGED
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> GET
> /manager/html HTTP/1.1
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Host:
> server.company.net:8080
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Connection:
> Keep-Alive
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent:
> Apache-HttpClient/UNAVAILABLE (Java/1.7.0_76)
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >>
> Accept-Encoding: gzip,deflate
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << HTTP/1.1 401
> Unauthorized
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Server:
> Apache-Coyote/1.1
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Cache-Control:
> private
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Expires: Thu,
> 01 Jan 1970 01:00:00 CET
> [main] DEBUG org.apache.http.headers - http-outgoing-0 <<
> WWW-Authenticate: Negotiate
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Content-Type:
> text/html;charset=utf-8
> [main] DEBUG org.apache.http.headers - http-outgoing-0 <<
> Content-Length: 974
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Date: Mon, 06
> Apr 2015 19:43:27 GMT
> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection
> can be kept alive indefinitely
> [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator -
> Authentication required
> [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator -
> server.company.net:8080 requested authentication
> [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy -
> Authentication schemes in the order of preference: [Negotiate, Kerberos,
> NTLM, Digest, Basic]
> [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy -
> Challenge for Kerberos authentication scheme not available
> [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy -
> Challenge for NTLM authentication scheme not available
> [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy -
> Challenge for Digest authentication scheme not available
> [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy -
> Challenge for Basic authentication scheme not available
> [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Selected
> authentication options: [NEGOTIATE]
> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing
> request GET /manager/html HTTP/1.1
> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth
> state: CHALLENGED
> [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Generating
> response to an authentication challenge using Negotiate scheme
> [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - Using
> HttpContext org.apache.http.client.protocol.HttpClientContext@cc357d
> [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - Starting
> GSS-based authentication for scheme 'Negotiate' (1.3.6.1.5.5.2)
> [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - GSS context for
> target host with SPN 'h...@server.company.net' created
> [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - GSS context
> establishment is in progress
> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth
> state: UNCHALLENGED
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> GET
> /manager/html HTTP/1.1
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Host:
> server.company.net:8080
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Connection:
> Keep-Alive
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent:
> Apache-HttpClient/UNAVAILABLE (Java/1.7.0_76)
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >>
> Accept-Encoding: gzip,deflate
> [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Authorization:
> Negotiate YIIYwwYGKwY...
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << HTTP/1.1 200 OK
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Server:
> Apache-Coyote/1.1
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Cache-Control:
> private
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Expires: Thu,
> 01 Jan 1970 01:00:00 CET
> [main] DEBUG org.apache.http.headers - http-outgoing-0 <<
> WWW-Authenticate: Negotiate oYHtMIHqoAM...
Oh, Holy Mother. WWW-Authenticate in a 200 response? Really?
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Connection: close
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Set-Cookie:
> JSESSIONID=190AF68553CDB68F46FCB330D4A2CC61; Path=/manager; HttpOnly
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Content-Type:
> text/html;charset=utf-8
> [main] DEBUG org.apache.http.headers - http-outgoing-0 <<
> Transfer-Encoding: chunked
> [main] DEBUG org.apache.http.headers - http-outgoing-0 <<
> Content-Encoding: gzip
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Vary:
> Accept-Encoding
> [main] DEBUG org.apache.http.headers - http-outgoing-0 << Date: Mon, 06
> Apr 2015 19:43:27 GMT
> [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator -
> Authentication succeeded
> [main] DEBUG org.apache.http.client.protocol.ResponseProcessCookies -
> Cookie accepted [JSESSIONID="190AF68553CDB68F46FCB330D4A2CC61",
> version:0, domain:server.company.net, path:/manager, expiry:null]
> [...response body...]
> [main] DEBUG
> org.apache.http.impl.conn.DefaultManagedHttpClientConnection -
> http-outgoing-0: Shutdown connection
> [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection
> discarded
> [main] DEBUG
> org.apache.http.impl.conn.DefaultManagedHttpClientConnection -
> http-outgoing-0: Close connection
> [main] DEBUG
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager -
> Connection released: [id: 0][route:
> {}->http://server.company.net:8080][total kept alive: 0; route
> allocated: 0 of 2; total allocated: 0 of 20]
>
> My IN_PROGRESS case is never triggered and the response token is not
> read by #parseChallenge.
>
> While I do not intend to debug all necessary auth code, I highly suspect
> that the client does not call the AuthScheme impl just because the
> server responses with 200 OK along with the token.
>
> Edit: I did a quick hack
> AuthenticationStrategyImpl#isAuthenticationRequested to accept 200 OK
> too and it did continue auth and completes the context but the response
> is completely discarded and another request is issued.
>
> Any ideas?
>
I see no way around adding something hideous like that to
HttpAuthenticator#isAuthenticationRequested
---
if (authState.getAuthScheme() instanceof SPNegoScheme) {
final SPNegoScheme spNegoScheme = (SPNegoScheme)
authState.getAuthScheme();
final Header header =
response.getFirstHeader(spNegoScheme.isProxy() ? AUTH.PROXY_AUTH :
AUTH.WWW_AUTH);
if (header != null) {
try {
spNegoScheme.processChallenge(header);
} catch (MalformedChallengeException ignore) {
}
}
}
---
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
