On Mon, 2015-04-06 at 22:15 +0200, Michael Osipov wrote: > Am 2015-04-06 um 18:12 schrieb Oleg Kalnichevski: > > On Mon, 2015-04-06 at 16:26 +0200, Michael Osipov wrote: > >> Hi folks, > >> > >> I have finally started coding of that issue. While I was able to write a > >> working prototype within an hour authenticating against Apache Tomcat > >> and Apache Web Server, an issue arose I am not really clear about: > >> > >> Is a credentials provider always necessary for a target host? > > > > Yes, it is. > > Thanks, that did the trick! > > >> In other > >> words, do I always need something like this: > >> CredentialsProvider p = new BasicCredentialsProvider(); > >> p.setCredentials(AuthScope.ANY, new > >> UsernamePasswordCredentials("mumu:mumu")); > >> builder.setDefaultCredentialsProvider(p); > >> > >> Although the credential is by default obtained at runtime? > >> I have noticed that authentication is not executed if no cred provider > >> is set and the logs are not very chatty about that. > >> > > > > This whole concept of the auth APIs goes back to the days of HC 2.0 and > > it remained virtually unchanged in HC 3.x and HC 4.x. The auth APIs were > > primarily designed to work well with standard auth schemes like BASIC > > and DIGEST and similar password based auth schemes. Things like Kerberos > > and native Windows auth were not properly factored it at that point of > > time. We can think of a better abstraction for HC 5, but for now we will > > have to live with what we have. > > I'll keep that in mind. > > While I have gained some progress now, the client is not behaving the > way I expect it. The AuthScheme impl is called, sends the first token > which is accepted by the server and the response token is sent. That is, > unfortunately, completely ignored. The HttpAuthenticator says > "Authentication succeeded" and ignores #isConnetionBased and > #isCompleted. Here is a wire log: > > Requesting: http://server.company.net:8080/manager/html > [main] DEBUG org.apache.http.client.protocol.RequestAddCookies - > CookieSpec selected: default > [main] DEBUG org.apache.http.client.protocol.RequestAuthCache - Auth > cache not set in the context > [main] DEBUG > org.apache.http.impl.conn.PoolingHttpClientConnectionManager - > Connection request: [route: {}->http://server.company.net:8080][total > kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20] > [main] DEBUG > org.apache.http.impl.conn.PoolingHttpClientConnectionManager - > Connection leased: [id: 0][route: > {}->http://server.company.net:8080][total kept alive: 0; route > allocated: 1 of 2; total allocated: 1 of 20] > [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Opening > connection {}->http://server.company.net:8080 > [main] DEBUG > org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - > Connecting to server.company.net/1.2.3.4:8080 > [main] DEBUG > org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - > Connection established 2.3.4.5:44647<->1.2.3.4:8080 > [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing > request GET /manager/html HTTP/1.1 > [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth > state: UNCHALLENGED > [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth > state: UNCHALLENGED > [main] DEBUG org.apache.http.headers - http-outgoing-0 >> GET > /manager/html HTTP/1.1 > [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Host: > server.company.net:8080 > [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Connection: > Keep-Alive > [main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent: > Apache-HttpClient/UNAVAILABLE (Java/1.7.0_76) > [main] DEBUG org.apache.http.headers - http-outgoing-0 >> > Accept-Encoding: gzip,deflate > [main] DEBUG org.apache.http.headers - http-outgoing-0 << HTTP/1.1 401 > Unauthorized > [main] DEBUG org.apache.http.headers - http-outgoing-0 << Server: > Apache-Coyote/1.1 > [main] DEBUG org.apache.http.headers - http-outgoing-0 << Cache-Control: > private > [main] DEBUG org.apache.http.headers - http-outgoing-0 << Expires: Thu, > 01 Jan 1970 01:00:00 CET > [main] DEBUG org.apache.http.headers - http-outgoing-0 << > WWW-Authenticate: Negotiate > [main] DEBUG org.apache.http.headers - http-outgoing-0 << Content-Type: > text/html;charset=utf-8 > [main] DEBUG org.apache.http.headers - http-outgoing-0 << > Content-Length: 974 > [main] DEBUG org.apache.http.headers - http-outgoing-0 << Date: Mon, 06 > Apr 2015 19:43:27 GMT > [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection > can be kept alive indefinitely > [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - > Authentication required > [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - > server.company.net:8080 requested authentication > [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - > Authentication schemes in the order of preference: [Negotiate, Kerberos, > NTLM, Digest, Basic] > [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - > Challenge for Kerberos authentication scheme not available > [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - > Challenge for NTLM authentication scheme not available > [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - > Challenge for Digest authentication scheme not available > [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - > Challenge for Basic authentication scheme not available > [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Selected > authentication options: [NEGOTIATE] > [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing > request GET /manager/html HTTP/1.1 > [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth > state: CHALLENGED > [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Generating > response to an authentication challenge using Negotiate scheme > [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - Using > HttpContext org.apache.http.client.protocol.HttpClientContext@cc357d > [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - Starting > GSS-based authentication for scheme 'Negotiate' (1.3.6.1.5.5.2) > [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - GSS context for > target host with SPN 'h...@server.company.net' created > [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - GSS context > establishment is in progress > [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth > state: UNCHALLENGED > [main] DEBUG org.apache.http.headers - http-outgoing-0 >> GET > /manager/html HTTP/1.1 > [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Host: > server.company.net:8080 > [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Connection: > Keep-Alive > [main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent: > Apache-HttpClient/UNAVAILABLE (Java/1.7.0_76) > [main] DEBUG org.apache.http.headers - http-outgoing-0 >> > Accept-Encoding: gzip,deflate > [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Authorization: > Negotiate YIIYwwYGKwY... > [main] DEBUG org.apache.http.headers - http-outgoing-0 << HTTP/1.1 200 OK > [main] DEBUG org.apache.http.headers - http-outgoing-0 << Server: > Apache-Coyote/1.1 > [main] DEBUG org.apache.http.headers - http-outgoing-0 << Cache-Control: > private > [main] DEBUG org.apache.http.headers - http-outgoing-0 << Expires: Thu, > 01 Jan 1970 01:00:00 CET > [main] DEBUG org.apache.http.headers - http-outgoing-0 << > WWW-Authenticate: Negotiate oYHtMIHqoAM...
Oh, Holy Mother. WWW-Authenticate in a 200 response? Really? > [main] DEBUG org.apache.http.headers - http-outgoing-0 << Connection: close > [main] DEBUG org.apache.http.headers - http-outgoing-0 << Set-Cookie: > JSESSIONID=190AF68553CDB68F46FCB330D4A2CC61; Path=/manager; HttpOnly > [main] DEBUG org.apache.http.headers - http-outgoing-0 << Content-Type: > text/html;charset=utf-8 > [main] DEBUG org.apache.http.headers - http-outgoing-0 << > Transfer-Encoding: chunked > [main] DEBUG org.apache.http.headers - http-outgoing-0 << > Content-Encoding: gzip > [main] DEBUG org.apache.http.headers - http-outgoing-0 << Vary: > Accept-Encoding > [main] DEBUG org.apache.http.headers - http-outgoing-0 << Date: Mon, 06 > Apr 2015 19:43:27 GMT > [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - > Authentication succeeded > [main] DEBUG org.apache.http.client.protocol.ResponseProcessCookies - > Cookie accepted [JSESSIONID="190AF68553CDB68F46FCB330D4A2CC61", > version:0, domain:server.company.net, path:/manager, expiry:null] > [...response body...] > [main] DEBUG > org.apache.http.impl.conn.DefaultManagedHttpClientConnection - > http-outgoing-0: Shutdown connection > [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection > discarded > [main] DEBUG > org.apache.http.impl.conn.DefaultManagedHttpClientConnection - > http-outgoing-0: Close connection > [main] DEBUG > org.apache.http.impl.conn.PoolingHttpClientConnectionManager - > Connection released: [id: 0][route: > {}->http://server.company.net:8080][total kept alive: 0; route > allocated: 0 of 2; total allocated: 0 of 20] > > My IN_PROGRESS case is never triggered and the response token is not > read by #parseChallenge. > > While I do not intend to debug all necessary auth code, I highly suspect > that the client does not call the AuthScheme impl just because the > server responses with 200 OK along with the token. > > Edit: I did a quick hack > AuthenticationStrategyImpl#isAuthenticationRequested to accept 200 OK > too and it did continue auth and completes the context but the response > is completely discarded and another request is issued. > > Any ideas? > I see no way around adding something hideous like that to HttpAuthenticator#isAuthenticationRequested --- if (authState.getAuthScheme() instanceof SPNegoScheme) { final SPNegoScheme spNegoScheme = (SPNegoScheme) authState.getAuthScheme(); final Header header = response.getFirstHeader(spNegoScheme.isProxy() ? AUTH.PROXY_AUTH : AUTH.WWW_AUTH); if (header != null) { try { spNegoScheme.processChallenge(header); } catch (MalformedChallengeException ignore) { } } } --- Oleg --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For additional commands, e-mail: dev-h...@hc.apache.org