Hi Malcolm, I took a look at the code today and found way to automatically construct the SPN without it being explicitly passed in. Before I submit the patch though, I was hoping you can provide some feedback on the calls to getToken:
response = getToken(null, null, this.servicePrincipalName != null ? this.servicePrincipalName : username); response = getToken(this.sppicontext, continueTokenBuffer, this.servicePrincipalName != null ? this.servicePrincipalName : "localhost"); In the first call, username is used but in the second, localhost is used. Do you know why they're different? The docs state that pszTargetName should point to a SPN or security context of the destination server [1]. Right now, I'm inclined to replace the default values with my calculated HTTP/<hostname> value. Users can always explicitly provide their own default by explicitly creating the appropriate scheme factory. What do you think? Regards, kl [1] http://msdn.microsoft.com/en-us/library/windows/desktop/aa375509(v=vs.85).aspx On Thu, Aug 14, 2014 at 10:56 AM, K Fung <[email protected]> wrote: > Hi Malcolm, > > If you take a look at the default WinHttpClient[1], specifically the > createBuilder() function, you'll see that null is always being > provided as the principle name. I was hoping there would be a way to > automatically inject HTTP/<hostname>. I planned to examine how this > could be made possible :-) > > Currently, in our own code code, we are creating an specific client > with a specific auth scheme and specifically filling in the correct > SPN for the request. > > Regards, > kl > > [1] > https://fisheye6.atlassian.com/browse/httpcomponents/httpclient/trunk/httpclient-win/src/main/java/org/apache/http/impl/client/WinHttpClients.java?r=1602401 > > On Thu, Aug 14, 2014 at 9:37 AM, Malcolm Smith > <[email protected]> wrote: >> Hi Ka-Lok, >> >> I¹m wondering what you expect the out of the box behaviour to be here? The >> service principal needs to be specified by the client, so there is no >> valid default. >> >> I submitted the original patch to enable the SPN to be specified, and >> wrote the SO response you linked to. Are you just looking to provide a >> simpler way of injecting the SPN into the WindowsNegotiateSchemeFactory? >> Admittedly it is slightly clunky having to construct an anonymous class, >> but I couldn¹t find a simpler way of injecting the SPN into the >> WindowsNegotiateSchemeFactory. >> >> Regards, >> >> Malcolm. >> >> >> On 13/08/2014 22:14, "K Fung" <[email protected]> wrote: >> >>>Hello, >>> >>>If we use WinHttpClients as, HTTP Negotiate authentication won't work >>>because the ticket being generated always uses 'null' service >>>principle name (SPN). Can this be filed as a bug? >>> >>>According to the informational RFC 4559 >>>(http://www.rfc-editor.org/rfc/rfc4559.txt), the service principle >>>name (SPN) should be in the following form: HTTP/hostname. >>> >>>Of course, we can work around it ourselves if we did something similar >>>to http://stackoverflow.com/a/22865583 but it would be great if the >>>sample code works out of the box :-) >>> >>>Regards, >>>kl >>> >>>--------------------------------------------------------------------- >>>To unsubscribe, e-mail: [email protected] >>>For additional commands, e-mail: [email protected] >>> >> >> Confidentiality - This email is confidential. >> Not meant for you? - If you don't think this email is meant for you, please >> let us know. Do not copy or forward the information it contains, and delete >> this email from your system. >> Views expressed - Any personal views or opinions expressed in this email are >> the sender's, and do not necessarily reflect the views of Standard Life >> group. >> Monitoring - We filter and monitor emails to protect our systems and to keep >> them running smoothly. >> Emailing us - Email isn't a secure form of communication. If you want to >> send us confidential information please send it by post. However, if you do >> communicate with us by email on any subject, you are giving us permission to >> email you back. >> Phoning us - Calls may be monitored and/or recorded to protect both you and >> us and help with our training. Call charges will vary. >> Standard Life group - Standard Life group comprises Standard Life plc and >> its subsidiaries. For more information on Standard Life group visit our >> website http://www.standardlife.com/. >> Standard Life plc (SC286832), Standard Life Assurance Limited (SC286833) and >> Standard Life Employee Services Limited (SC271355) are all registered in >> Scotland at Standard Life House, 30 Lothian Road, Edinburgh EH1 2DH. >> Standard Life Assurance Limited is authorised by the Prudential Regulation >> Authority and regulated by the Financial Conduct Authority and the >> Prudential Regulation Authority. >> For more information on Standard Life Assurance limited visit our website >> http://www.standardlife.co.uk >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
