Thanks for getting back to me and tracking down my patch! Cheers, kl
On Wed, Aug 27, 2014 at 5:39 AM, Malcolm Smith <[email protected]> wrote: > Hi Ka-Lok, > > Sorry, I missed your mail. I agree. Based on my (fairly limited) > understanding, for the Kerberos handshake to succeed the SPN must be > passed into the getToken method call. The original code was contributed by > Ryan McKinley based on code from the waffle project, so I’m not sure what > the reasoning behind defaulting to the username in first scenario was and > I can’t see using ‘localhost’ ever being correct. The new code you > contributed looks great, much improved SPN handling. I’ll alter that SO > answer once 4.4 is out. > > Malcolm. > > > > On 17/08/2014 07:19, "K Fung" <[email protected]> wrote: > >>Hi Malcolm, >> >>I took a look at the code today and found way to automatically >>construct the SPN without it being explicitly passed in. Before I >>submit the patch though, I was hoping you can provide some feedback on >>the calls to getToken: >> >>response = getToken(null, null, this.servicePrincipalName != null ? >>this.servicePrincipalName : username); >> >>response = getToken(this.sppicontext, continueTokenBuffer, >>this.servicePrincipalName != null ? this.servicePrincipalName : >>"localhost"); >> >>In the first call, username is used but in the second, localhost is >>used. Do you know why they're different? The docs state that >>pszTargetName should point to a SPN or security context of the >>destination server [1]. >> >>Right now, I'm inclined to replace the default values with my >>calculated HTTP/<hostname> value. Users can always explicitly provide >>their own default by explicitly creating the appropriate scheme >>factory. >> >>What do you think? >> >>Regards, >>kl >> >>[1] >>http://msdn.microsoft.com/en-us/library/windows/desktop/aa375509(v=vs.85). >>aspx >> >>On Thu, Aug 14, 2014 at 10:56 AM, K Fung <[email protected]> wrote: >>> Hi Malcolm, >>> >>> If you take a look at the default WinHttpClient[1], specifically the >>> createBuilder() function, you'll see that null is always being >>> provided as the principle name. I was hoping there would be a way to >>> automatically inject HTTP/<hostname>. I planned to examine how this >>> could be made possible :-) >>> >>> Currently, in our own code code, we are creating an specific client >>> with a specific auth scheme and specifically filling in the correct >>> SPN for the request. >>> >>> Regards, >>> kl >>> >>> [1] >>>https://fisheye6.atlassian.com/browse/httpcomponents/httpclient/trunk/htt >>>pclient-win/src/main/java/org/apache/http/impl/client/WinHttpClients.java >>>?r=1602401 >>> >>> On Thu, Aug 14, 2014 at 9:37 AM, Malcolm Smith >>> <[email protected]> wrote: >>>> Hi Ka-Lok, >>>> >>>> I¹m wondering what you expect the out of the box behaviour to be here? >>>>The >>>> service principal needs to be specified by the client, so there is no >>>> valid default. >>>> >>>> I submitted the original patch to enable the SPN to be specified, and >>>> wrote the SO response you linked to. Are you just looking to provide a >>>> simpler way of injecting the SPN into the >>>>WindowsNegotiateSchemeFactory? >>>> Admittedly it is slightly clunky having to construct an anonymous >>>>class, >>>> but I couldn¹t find a simpler way of injecting the SPN into the >>>> WindowsNegotiateSchemeFactory. >>>> >>>> Regards, >>>> >>>> Malcolm. >>>> >>>> >>>> On 13/08/2014 22:14, "K Fung" <[email protected]> wrote: >>>> >>>>>Hello, >>>>> >>>>>If we use WinHttpClients as, HTTP Negotiate authentication won't work >>>>>because the ticket being generated always uses 'null' service >>>>>principle name (SPN). Can this be filed as a bug? >>>>> >>>>>According to the informational RFC 4559 >>>>>(http://www.rfc-editor.org/rfc/rfc4559.txt), the service principle >>>>>name (SPN) should be in the following form: HTTP/hostname. >>>>> >>>>>Of course, we can work around it ourselves if we did something similar >>>>>to http://stackoverflow.com/a/22865583 but it would be great if the >>>>>sample code works out of the box :-) >>>>> >>>>>Regards, >>>>>kl >>>>> >>>>>--------------------------------------------------------------------- >>>>>To unsubscribe, e-mail: [email protected] >>>>>For additional commands, e-mail: [email protected] >>>>> >>>>--------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [email protected] >>>> For additional commands, e-mail: [email protected] >>>> >> >>--------------------------------------------------------------------- >>To unsubscribe, e-mail: [email protected] >>For additional commands, e-mail: [email protected] > > Confidentiality - This email is confidential. > Not meant for you? - If you don't think this email is meant for you, please > let us know. Do not copy or forward the information it contains, and delete > this email from your system. > Views expressed - Any personal views or opinions expressed in this email are > the sender's, and do not necessarily reflect the views of Standard Life group. > Monitoring - We filter and monitor emails to protect our systems and to keep > them running smoothly. > Emailing us - Email isn't a secure form of communication. If you want to send > us confidential information please send it by post. However, if you do > communicate with us by email on any subject, you are giving us permission to > email you back. > Phoning us - Calls may be monitored and/or recorded to protect both you and > us and help with our training. Call charges will vary. > Standard Life group - Standard Life group comprises Standard Life plc and its > subsidiaries. For more information on Standard Life group visit our website > http://www.standardlife.com/. > Standard Life plc (SC286832), Standard Life Assurance Limited (SC286833) and > Standard Life Employee Services Limited (SC271355) are all registered in > Scotland at Standard Life House, 30 Lothian Road, Edinburgh EH1 2DH. Standard > Life Assurance Limited is authorised by the Prudential Regulation Authority > and regulated by the Financial Conduct Authority and the Prudential > Regulation Authority. > For more information on Standard Life Assurance limited visit our website > http://www.standardlife.co.uk --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
