[GitHub] [tomcat] michael-o commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators
michael-o commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r687520920
##
File path: java/org/apache/catalina/authenticator/SSLAuthenticator.java
##
@@ -104,7 +104,7 @@ protected String getAuthMethod() {
}
@Override
-protected boolean isPreemptiveAuthRequest(Request request) {
+protected boolean isPreemptiveAuthPossible(Request request) {
Review comment:
Exactly, preemptive is forbidden/does not exist. Make it false/remove it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators
michael-o commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r687092579
##
File path: java/org/apache/catalina/authenticator/SSLAuthenticator.java
##
@@ -104,7 +104,7 @@ protected String getAuthMethod() {
}
@Override
-protected boolean isPreemptiveAuthRequest(Request request) {
+protected boolean isPreemptiveAuthPossible(Request request) {
Review comment:
I have just read RFC 5246 and RFC 8466 and there is no single definition
of a preemptive Client Cert auth. So the server has to send
`CertificateRequest` first. Since HTTP authz checks come after TLS, I fail to
understand the previous code. Maybe @markt-asf can enlighted us.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators
michael-o commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r686570618
##
File path: java/org/apache/catalina/authenticator/SSLAuthenticator.java
##
@@ -104,7 +104,7 @@ protected String getAuthMethod() {
}
@Override
-protected boolean isPreemptiveAuthRequest(Request request) {
+protected boolean isPreemptiveAuthPossible(Request request) {
Review comment:
I wonder whether TLS allows preemptive auth at all.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators
michael-o commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r686228585
##
File path: java/org/apache/catalina/authenticator/BasicAuthenticator.java
##
@@ -132,6 +132,10 @@ protected String getAuthMethod() {
return HttpServletRequest.BASIC_AUTH;
}
+@Override
+protected boolean isPreemptiveAuthRequest(Request request) {
+return
request.getCoyoteRequest().getMimeHeaders().getValue("authorization") != null;
Review comment:
I prefer the latter.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators
michael-o commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r686188244
##
File path: java/org/apache/catalina/authenticator/BasicAuthenticator.java
##
@@ -132,6 +132,10 @@ protected String getAuthMethod() {
return HttpServletRequest.BASIC_AUTH;
}
+@Override
+protected boolean isPreemptiveAuthRequest(Request request) {
+return
request.getCoyoteRequest().getMimeHeaders().getValue("authorization") != null;
Review comment:
I don't consider this to be preemptive authentication. It says nothing
that the use has not been challenged.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
