Re: client-side support for Negotiate authentication scheme

Thu, 28 Aug 2008 06:03:20 -0700 

Hi Stephan
The NegotiateFilter, together with an example client and server is attached to this post. 


You are free to add this code to the Restlet codebase if you find it 
useful. Since I borrowed some ideas and code from Bruno Harbulot's 
SpnegoFilter, he should be consulted as well. Also IMHO more testing is 
needed.


The README file:

NegotiateFilter is a Restlet filter that implements Negotiate and Basic

authentication on both the client and the server side. The server 
accepts both

SPNEGO and Kerberos v5 GSSAPI tokens.

It comes with a runnable test client and test server.


The code has only been tested in a Windows Active Directory 
environment but

should work with any Kerberos v5 infrastructure.

The code has been tested with Restlet 1.1rc1 with a patched version of the

com.noelios.restlet.authentication.AuthenticationUtils.parseAuthenticateHeader() 


method (see mailing list).


The jaas.conf file and the some constants in ExampleClient.java and 
some system

properties contain site-specific information and need to be adjusted.

Also a working keytab file and krb5.conf file (or similar) are needed.

See the *.launch file for information how to set the system properties.

NegotiateFilter is based on Bruno Harbulot's SpnegoFilter.

Roman Geus

Cheers,
Roman


Stephan Koops wrote:

Hi Roman,


cool. Could you share the full filter class(es?) to be added to the 
Restlet API?


best regards
   Stephan

Roman Geus schrieb:

Hi all


I have been working on a Filter that implements client and server 
side HTTP Negotiate and Basic authentication. The code is based on 
Bruno Harbulot's nice SpnegoFilter.



Everything works fine so far. However to get the client-side 
authentication working I had to change the parseAuthenticateHeader() 
method in the com.noelios.restlet.authentication.AuthenticationUtils 
class a bit.



The original implementation (version 1.1rc1) fails to locate the 
correct AuthenticationHelper, if the realm parameter is missing in 
the authenticate header, as e.g. for the Negotiate scheme.


Would it be possible to fix for this problem?

The diff for my quick fix is attached.

Best regards,
Roman






Attachment:
negotiatefilter_example.tar.gz

Description: GNU Zip compressed data






















					Reply via email to