subject:"\[GitHub\] \[tomcat\] rrodewald commented on a change in pull request #444\: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators"

[GitHub] [tomcat] rrodewald commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

2021-08-12 Thread GitBox



rrodewald commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r687513716



##
File path: java/org/apache/catalina/authenticator/SSLAuthenticator.java
##
@@ -104,7 +104,7 @@ protected String getAuthMethod() {
 }
 
 @Override
-protected boolean isPreemptiveAuthRequest(Request request) {
+protected boolean isPreemptiveAuthPossible(Request request) {

Review comment:
   RFC 8466 is relatively clear about client certs sent to the server:
   ```
   4.4.2.  Certificate
   [...]
   
  The client MUST send a Certificate message if and only if the server
  has requested client authentication via a CertificateRequest message
  (Section 4.3.2).
   ```
   So while it may be technically possible to start by sending client 
certificates it is definitely not supported by the spec. I would opt for 
deactivation of this "feature".




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] rrodewald commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

2021-08-11 Thread GitBox



rrodewald commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r687058556



##
File path: java/org/apache/catalina/authenticator/SSLAuthenticator.java
##
@@ -104,7 +104,7 @@ protected String getAuthMethod() {
 }
 
 @Override
-protected boolean isPreemptiveAuthRequest(Request request) {
+protected boolean isPreemptiveAuthPossible(Request request) {

Review comment:
   I'm not sure either. Browsers definitely want a challenge first. I just 
tried to mimic the current behaviour as close as possible - the code is 
unchanged from what was in `AuthenticatorBase` before.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] rrodewald commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

2021-08-10 Thread GitBox



rrodewald commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r686294855



##
File path: java/org/apache/catalina/authenticator/BasicAuthenticator.java
##
@@ -132,6 +132,10 @@ protected String getAuthMethod() {
 return HttpServletRequest.BASIC_AUTH;
 }
 
+@Override
+protected boolean isPreemptiveAuthRequest(Request request) {
+return 
request.getCoyoteRequest().getMimeHeaders().getValue("authorization") != null;

Review comment:
   Renamed method `isPreemptiveAuthRequest()` to 
`isPreemptiveAuthPossible()`




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] rrodewald commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

2021-08-10 Thread GitBox



rrodewald commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r686206255



##
File path: java/org/apache/catalina/authenticator/BasicAuthenticator.java
##
@@ -132,6 +132,10 @@ protected String getAuthMethod() {
 return HttpServletRequest.BASIC_AUTH;
 }
 
+@Override
+protected boolean isPreemptiveAuthRequest(Request request) {
+return 
request.getCoyoteRequest().getMimeHeaders().getValue("authorization") != null;

Review comment:
   It's the way that this method is called from `AuthenticatorBase` that 
makes it a question for preemptive. The call is combined with a check of 
`Context.getPreemptiveAuthentication()` there. Any suggestion for a better 
name? How about `checkPreemptiveAuthRequirements()` or 
`isPreemptiveAuthPossible()`?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] rrodewald commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

2021-08-10 Thread GitBox



rrodewald commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r686206255



##
File path: java/org/apache/catalina/authenticator/BasicAuthenticator.java
##
@@ -132,6 +132,10 @@ protected String getAuthMethod() {
 return HttpServletRequest.BASIC_AUTH;
 }
 
+@Override
+protected boolean isPreemptiveAuthRequest(Request request) {
+return 
request.getCoyoteRequest().getMimeHeaders().getValue("authorization") != null;

Review comment:
   It's the way that this method is called from `AuthenticatorBase` that 
makes it a question for preemptive. The call is combined with a check of 
`Context.getPreemptiveAuthentication()` there. Any suggestion for a better 
name? How about `checkPreemptiveAuthRequirements()`?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] rrodewald commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

[GitHub] [tomcat] rrodewald commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

[GitHub] [tomcat] rrodewald commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

[GitHub] [tomcat] rrodewald commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

[GitHub] [tomcat] rrodewald commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

5 matches

Site Navigation

Mail list logo

Footer information