On 22 July 2014 17:19, Felix Schumacher <[email protected]> wrote: > > > On 22. Juli 2014 16:50:20 MESZ, sebb <[email protected]> wrote: >>On 18 July 2014 21:06, <[email protected]> wrote: >>> Author: pmouawad >>> Date: Fri Jul 18 20:05:59 2014 >>> New Revision: 1611785 >>> >>> URL: http://svn.apache.org/r1611785 >>> Log: >>> Bug 56701 - HTTP Authorization Manager/ Kerberos Authentication: add >>port to SPN when server port is neither 80 nor 443 >>> Add a jmeter property to control behaviour. >>> By default strip port. >> >>-1. >> >>As far as I can tell, the patch changes the default behaviour. >>The default should be changed, e.g. by setting STRIP_PORT to false by >>default. > > The default was (and should be) to strip ports. I have tested spnego with > default option and it worked.
No, the default was to strip 80 and 443, not all ports. Whether the default should be changed is a separate issue. > Why do you think the default behavior was changed by this commit? Originally, the code used boolean stripPort = (url.getPort() == HTTPConstants.DEFAULT_HTTP_ PORT || url.getPort() == HTTPConstants.DEFAULT_HTTPS_PORT); Now it effectively uses boolean stripPort = STRIP_PORT || (url.getPort() == HTTPConstants.DEFAULT_HTTP_ PORT || url.getPort() == HTTPConstants.DEFAULT_HTTPS_PORT); Since STRIP_PORT == true by default, this means the stripPort is always true by default - it is not affected by the actual port that is used. So the default is now to strip ports. However, that is a change from the original code. > Regards > Felix >> >>> Bugzilla Id: 56701 >>> >>> Modified: >>> jmeter/trunk/bin/jmeter.properties >>> >>jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java >>> jmeter/trunk/xdocs/changes.xml >>> jmeter/trunk/xdocs/usermanual/component_reference.xml >>> >>> Modified: jmeter/trunk/bin/jmeter.properties >>> URL: >>http://svn.apache.org/viewvc/jmeter/trunk/bin/jmeter.properties?rev=1611785&r1=1611784&r2=1611785&view=diff >>> >>============================================================================== >>> --- jmeter/trunk/bin/jmeter.properties (original) >>> +++ jmeter/trunk/bin/jmeter.properties Fri Jul 18 20:05:59 2014 >>> @@ -337,7 +337,11 @@ log_level.jorphan=INFO >>> >>> # AuthManager Kerberos configuration >>> # Name of application module used in jaas.conf >>> -#kerberos_jaas_application=JMeter >>> +#kerberos_jaas_application=JMeter >>> + >>> +# Should ports be stripped from urls before constructing SPNs >>> +# for spnego authentication >>> +#kerberos.spnego.strip_port=true >>> >>> # Sample logging levels for Commons HttpClient >>> # >>> @@ -962,8 +966,8 @@ beanshell.server.file=../extras/startup. >>> #jsyntaxtextarea.maxundos=50 >>> >>> # Maximum size of HTML page that can be displayed; default=200 * >>1024 >>> -# Set to 0 to disable the size check >>> -#view.results.tree.max_size=0 >>> +# Set to 0 to disable the size check and display the whole response >>> +#view.results.tree.max_size=204800 >>> >>> # Order of Renderers in View Results Tree >>> # Note full class names should be used for non jmeter core renderers >>> >>> Modified: >>jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java >>> URL: >>http://svn.apache.org/viewvc/jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java?rev=1611785&r1=1611784&r2=1611785&view=diff >>> >>============================================================================== >>> --- >>jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java >>(original) >>> +++ >>jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java >>Fri Jul 18 20:05:59 2014 >>> @@ -96,6 +96,9 @@ public class AuthManager extends ConfigT >>> >>> private static final boolean DEFAULT_CLEAR_VALUE = false; >>> >>> + /** Decides whether port should be omitted from SPN for kerberos >>spnego authentication */ >>> + private static final boolean STRIP_PORT = >>JMeterUtils.getPropDefault("kerberos.spnego.strip_port", true); >>> + >>> public enum Mechanism { >>> BASIC_DIGEST, KERBEROS; >>> } >>> @@ -392,8 +395,7 @@ public class AuthManager extends ConfigT >>> log.debug(username + " > D="+domain+" R="+realm + " >>M="+auth.getMechanism()); >>> } >>> if (Mechanism.KERBEROS.equals(auth.getMechanism())) { >>> - boolean stripPort = (url.getPort() == >>HTTPConstants.DEFAULT_HTTP_PORT || url.getPort() == >>HTTPConstants.DEFAULT_HTTPS_PORT); >>> - ((AbstractHttpClient) >>client).getAuthSchemes().register(AuthPolicy.SPNEGO, new >>SPNegoSchemeFactory(stripPort)); >>> + ((AbstractHttpClient) >>client).getAuthSchemes().register(AuthPolicy.SPNEGO, new >>SPNegoSchemeFactory(isStripPort(url))); >>> credentialsProvider.setCredentials(new >>AuthScope(null, -1, null), USE_JAAS_CREDENTIALS); >>> } else { >>> credentialsProvider.setCredentials( >>> @@ -403,6 +405,24 @@ public class AuthManager extends ConfigT >>> } >>> } >>> >>> + /** >>> + * IE and Firefox will always strip port from the url before >>constructing >>> + * the SPN. Chrome has an option >>(<code>--enable-auth-negotiate-port</code>) >>> + * to include the port if it differs from <code>80</code> or >>> + * <code>443</code>. That behavior can be changed by setting the >>jmeter >>> + * property <code>kerberos.spnego.strip_port</code>. >>> + * >>> + * @param url to be checked >>> + * @return <code>true</code> when port should omitted in SPN >>> + */ >>> + private boolean isStripPort(URL url) { >>> + if (STRIP_PORT) { >>> + return true; >>> + } >>> + return (url.getPort() == HTTPConstants.DEFAULT_HTTP_PORT || >>> + url.getPort() == HTTPConstants.DEFAULT_HTTPS_PORT); >>> + } >>> + >>> /** {@inheritDoc} */ >>> @Override >>> public void testStarted() { >>> >>> Modified: jmeter/trunk/xdocs/changes.xml >>> URL: >>http://svn.apache.org/viewvc/jmeter/trunk/xdocs/changes.xml?rev=1611785&r1=1611784&r2=1611785&view=diff >>> >>============================================================================== >>> --- jmeter/trunk/xdocs/changes.xml (original) >>> +++ jmeter/trunk/xdocs/changes.xml Fri Jul 18 20:05:59 2014 >>> @@ -213,7 +213,7 @@ A workaround is to use a Java 7 update 4 >>> <h3>Timers, Assertions, Config, Pre- & Post-Processors</h3> >>> <ul> >>> <li><bugzilla>56691</bugzilla> - Synchronizing Timer : Add timeout >>on waiting</li> >>> -<li><bugzilla>56701</bugzilla> - HTTP Authorization Manager/ >>Kerberos Authentication: add port to SPN when server port is neither 80 >>nor 443</li> >>> +<li><bugzilla>56701</bugzilla> - HTTP Authorization Manager/ >>Kerberos Authentication: add port to SPN when server port is neither 80 >>nor 443. Based on patches from Dan Haughey (dan.haughey at >>swinton.co.uk) and Felix Schumacher (felix.schumacher at >>internetallee.de)</li> >>> </ul> >>> >>> <h3>Functions</h3> >>> @@ -253,6 +253,8 @@ A workaround is to use a Java 7 update 4 >>> <li>Nicola Ambrosetti (ambrosetti.nicola at gmail.com)</li> >>> <li><a href="http://ubikloadpack.com";>Ubik Load Pack >>support</a></li> >>> <li>Mikhail Epikhin (epihin-m at yandex.ru)</li> >>> +<li>Dan Haughey (dan.haughey at swinton.co.uk)</li> >>> +<li>Felix Schumacher (felix.schumacher at internetallee.de)</li> >>> </ul> >>> >>> <br/> >>> >>> Modified: jmeter/trunk/xdocs/usermanual/component_reference.xml >>> URL: >>http://svn.apache.org/viewvc/jmeter/trunk/xdocs/usermanual/component_reference.xml?rev=1611785&r1=1611784&r2=1611785&view=diff >>> >>============================================================================== >>> --- jmeter/trunk/xdocs/usermanual/component_reference.xml (original) >>> +++ jmeter/trunk/xdocs/usermanual/component_reference.xml Fri Jul 18 >>20:05:59 2014 >>> @@ -3545,6 +3545,18 @@ You can also configure those two propert >>> Look at the two sample configuration files (krb5.conf and jaas.conf) >>located in the jmeter bin folder for references to more documentation, >>and tweak them to match >>> your Kerberos configuration. >>> </p> >>> +<p> >>> +When generating a SPN for Kerberos SPNEGO authentication IE and >>Firefox will omit the port number >>> +from the url. Chrome has an option >>(<code>--enable-auth-negotiate-port</code>) to include the port >>> +number if it differs from the standard ones (<code>80</code> and >><code>443</code>). That behavior >>> +can be emulated by setting the following jmeter property as below. >>> +<pre> >>> +In jmeter.properties or user.properties, set: >>> +<ul> >>> +<li>kerberos.spnego.strip_port=false</li> >>> +</ul> >>> +</pre> >>> +</p> >>> <br></br> >>> <b>Controls:</b> >>> <ul> >>> >>> >
