Re: client-side support for Negotiate authentication scheme
Hi Roman, Roman Geus wrote: Hello Bruno I'm sorry about not paying more attention to the licensing issues. I meant no harm and I am certainly not trying to take credit for your work. Just to explain: the code I posted is not a quick rip-off of your filter. I put considerable amount of time into rewriting, refactoring and adding new functionality. It was my understanding that NegotiateFilter would not fall into category of "redistribution" or "modification" of your SpnegoFilter and thus not violate the copyright. However I'm not experienced in these legal matters. Don't worry, I'm not upset, it's nice of you to have acknowledged my work and I do realise you've done some substantial work on this too. It's some code that I've planned to contribute to Restlet anyway at some point, so it's not a major issue, but I have signed the Restlet JCA; I'm not sure you have. I'm not a legal expert either, but I think it would have been in your interest to send your code with a licence (pending JCA integration), since many people might assume that what is made public is in the public domain (although I don't think it legally is -- it's probably the opposite, but a licence would clarify things). This is in fact why I put this licence on my code in the first place (also because the copyright is actually held by my employer), not because I didn't want it in the Restlet code. My understanding of the (BSD) licence I've used is that putting it at the bottom of the README file saying something like "some of this code was based on code distributed with this licence: ..." would have been sufficient. As the (representative of the) copyright holder, this is something that only I (or another representative) can waive when contributing through the Restlet JCA, which I'm happy to do in this instance. Cheers, Bruno.
Re: client-side support for Negotiate authentication scheme
Hello Bruno I'm sorry about not paying more attention to the licensing issues. I meant no harm and I am certainly not trying to take credit for your work. Just to explain: the code I posted is not a quick rip-off of your filter. I put considerable amount of time into rewriting, refactoring and adding new functionality. It was my understanding that NegotiateFilter would not fall into category of "redistribution" or "modification" of your SpnegoFilter and thus not violate the copyright. However I'm not experienced in these legal matters. I would like to thank you again for sharing your code. Without it, it would have taken me a much longer time to get Negotiate authentication working. Regards, Roman Bruno Harbulot wrote: Hi Roman, When you take someone else's code and modify it, you might want to look at the beginning of the file (or the licence file), especially when you post a file to a public mailing list and thus have no chance of being able to amend it once archived: Copyright (c) 2008, The University of Manchester, United Kingdom. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the The University of Manchester nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This being said, I'm glad you found it useful. In principle, I'm in favour of including it into the Restlet code. However, the reason I published it separately in the first place was because it was a small prototype and I felt this feature should be part of a wider rethink of the Guard-related classes. This is an objective that Jerome set for Restlet 1.2, so let's wait for 1.1 final first, although of course we can already start to talk about it and experiment with new features. Cheers, Bruno. Roman Geus wrote: Hi Stephan The NegotiateFilter, together with an example client and server is attached to this post. You are free to add this code to the Restlet codebase if you find it useful. Since I borrowed some ideas and code from Bruno Harbulot's SpnegoFilter, he should be consulted as well. Also IMHO more testing is needed. The README file: NegotiateFilter is a Restlet filter that implements Negotiate and Basic authentication on both the client and the server side. The server accepts both SPNEGO and Kerberos v5 GSSAPI tokens. It comes with a runnable test client and test server. The code has only been tested in a Windows Active Directory environment but should work with any Kerberos v5 infrastructure. The code has been tested with Restlet 1.1rc1 with a patched version of the com.noelios.restlet.authentication.AuthenticationUtils.parseAuthenticateHeader() method (see mailing list). The jaas.conf file and the some constants in ExampleClient.java and some system properties contain site-specific information and need to be adjusted. Also a working keytab file and krb5.conf file (or similar) are needed. See the *.launch file for information how to set the system properties. NegotiateFilter is based on Bruno Harbulot's SpnegoFilter. Roman Geus Cheers, Roman
Re: client-side support for Negotiate authentication scheme
Hi Roman, When you take someone else's code and modify it, you might want to look at the beginning of the file (or the licence file), especially when you post a file to a public mailing list and thus have no chance of being able to amend it once archived: Copyright (c) 2008, The University of Manchester, United Kingdom. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the The University of Manchester nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This being said, I'm glad you found it useful. In principle, I'm in favour of including it into the Restlet code. However, the reason I published it separately in the first place was because it was a small prototype and I felt this feature should be part of a wider rethink of the Guard-related classes. This is an objective that Jerome set for Restlet 1.2, so let's wait for 1.1 final first, although of course we can already start to talk about it and experiment with new features. Cheers, Bruno. Roman Geus wrote: Hi Stephan The NegotiateFilter, together with an example client and server is attached to this post. You are free to add this code to the Restlet codebase if you find it useful. Since I borrowed some ideas and code from Bruno Harbulot's SpnegoFilter, he should be consulted as well. Also IMHO more testing is needed. The README file: NegotiateFilter is a Restlet filter that implements Negotiate and Basic authentication on both the client and the server side. The server accepts both SPNEGO and Kerberos v5 GSSAPI tokens. It comes with a runnable test client and test server. The code has only been tested in a Windows Active Directory environment but should work with any Kerberos v5 infrastructure. The code has been tested with Restlet 1.1rc1 with a patched version of the com.noelios.restlet.authentication.AuthenticationUtils.parseAuthenticateHeader() method (see mailing list). The jaas.conf file and the some constants in ExampleClient.java and some system properties contain site-specific information and need to be adjusted. Also a working keytab file and krb5.conf file (or similar) are needed. See the *.launch file for information how to set the system properties. NegotiateFilter is based on Bruno Harbulot's SpnegoFilter. Roman Geus Cheers, Roman
[RFC] WadlResource, get a param value according to the description
Hi, Here is what i added to my WadlResource subclass (and the super class of all my resources): [see below]. I think it would be nice (in a future version) to have a similar method directly available in WadlResource. For now, this code just fulfills my needs: - it does not handle multi-valued param (but can be easily added: split into a getFirstParam and a getParam methods) - it does not handle the "plain" type (which requires a more complex code for the xpath stuff) - it does not handle the conversion to the correct type (as declared by the "type" attribute) (add a "Converter" object in the method signature?) - it does not handle the "required" attribute (we could add a WadlRequiredException in the extension or something like that) - it does not handle the "header" type because i dont need ;-) and because i dont know if there is an abstract layer to reach the HTTP headers without creating a strong dependency with another extension (like ServerServlet, or an other). Despite of all that, now i can just call: getParam(getRequestInfo(), "service"); Any comments are welcome (and anyone can reuse this code :-). --- snip --- protected String getParam(RequestInfo requestInfo, String parameterName) { List parameters = requestInfo.getParameters(); for (ParameterInfo parameter : parameters) { if (parameterName.equals(parameter.getName())) { return getParam(parameter); } } return null; } protected String getParam(ParameterInfo parameterInfo) { if (parameterInfo.getFixed() != null) { return parameterInfo.getFixed(); } String value = null; if (ParameterStyle.HEADER.equals(parameterInfo.getStyle())) { // not yet implemented } else if (ParameterStyle.TEMPLATE.equals(parameterInfo.getStyle())) { Object parameter = getRequest().getAttributes().get(parameterInfo.getName()); value = (parameter == null) ? null : Reference.decode((String) parameter); } else if (ParameterStyle.MATRIX.equals(parameterInfo.getStyle())) { Parameter parameter = getMatrix().getFirst(parameterInfo.getName()); value = (parameter == null) ? null : parameter.getValue(); } else if (ParameterStyle.QUERY.equals(parameterInfo.getStyle())) { Parameter parameter = getQuery().getFirst(parameterInfo.getName()); value = (parameter == null) ? null : parameter.getValue(); } else if (ParameterStyle.PLAIN.equals(parameterInfo.getStyle())) { // not yet implemented } if (value == null) { value = parameterInfo.getDefaultValue(); } return value; } --- snip --- -- Vincent Ricard
Re: client-side support for Negotiate authentication scheme
Hi Roman, nice for the code. Because I only changes the code of the JAX-RS extension, this is a job for Jerome or Thierry. I hope they will include it. best regards Stephan Roman Geus schrieb: Hi Stephan The NegotiateFilter, together with an example client and server is attached to this post. You are free to add this code to the Restlet codebase if you find it useful. Since I borrowed some ideas and code from Bruno Harbulot's SpnegoFilter, he should be consulted as well. Also IMHO more testing is needed. The README file: NegotiateFilter is a Restlet filter that implements Negotiate and Basic authentication on both the client and the server side. The server accepts both SPNEGO and Kerberos v5 GSSAPI tokens. It comes with a runnable test client and test server. The code has only been tested in a Windows Active Directory environment but should work with any Kerberos v5 infrastructure. The code has been tested with Restlet 1.1rc1 with a patched version of the com.noelios.restlet.authentication.AuthenticationUtils.parseAuthenticateHeader() method (see mailing list). The jaas.conf file and the some constants in ExampleClient.java and some system properties contain site-specific information and need to be adjusted. Also a working keytab file and krb5.conf file (or similar) are needed. See the *.launch file for information how to set the system properties. NegotiateFilter is based on Bruno Harbulot's SpnegoFilter. Roman Geus Cheers, Roman Stephan Koops wrote: Hi Roman, cool. Could you share the full filter class(es?) to be added to the Restlet API? best regards Stephan Roman Geus schrieb: Hi all I have been working on a Filter that implements client and server side HTTP Negotiate and Basic authentication. The code is based on Bruno Harbulot's nice SpnegoFilter. Everything works fine so far. However to get the client-side authentication working I had to change the parseAuthenticateHeader() method in the com.noelios.restlet.authentication.AuthenticationUtils class a bit. The original implementation (version 1.1rc1) fails to locate the correct AuthenticationHelper, if the realm parameter is missing in the authenticate header, as e.g. for the Negotiate scheme. Would it be possible to fix for this problem? The diff for my quick fix is attached. Best regards, Roman
Re: client-side support for Negotiate authentication scheme
Hi Stephan The NegotiateFilter, together with an example client and server is attached to this post. You are free to add this code to the Restlet codebase if you find it useful. Since I borrowed some ideas and code from Bruno Harbulot's SpnegoFilter, he should be consulted as well. Also IMHO more testing is needed. The README file: NegotiateFilter is a Restlet filter that implements Negotiate and Basic authentication on both the client and the server side. The server accepts both SPNEGO and Kerberos v5 GSSAPI tokens. It comes with a runnable test client and test server. The code has only been tested in a Windows Active Directory environment but should work with any Kerberos v5 infrastructure. The code has been tested with Restlet 1.1rc1 with a patched version of the com.noelios.restlet.authentication.AuthenticationUtils.parseAuthenticateHeader() method (see mailing list). The jaas.conf file and the some constants in ExampleClient.java and some system properties contain site-specific information and need to be adjusted. Also a working keytab file and krb5.conf file (or similar) are needed. See the *.launch file for information how to set the system properties. NegotiateFilter is based on Bruno Harbulot's SpnegoFilter. Roman Geus Cheers, Roman Stephan Koops wrote: Hi Roman, cool. Could you share the full filter class(es?) to be added to the Restlet API? best regards Stephan Roman Geus schrieb: Hi all I have been working on a Filter that implements client and server side HTTP Negotiate and Basic authentication. The code is based on Bruno Harbulot's nice SpnegoFilter. Everything works fine so far. However to get the client-side authentication working I had to change the parseAuthenticateHeader() method in the com.noelios.restlet.authentication.AuthenticationUtils class a bit. The original implementation (version 1.1rc1) fails to locate the correct AuthenticationHelper, if the realm parameter is missing in the authenticate header, as e.g. for the Negotiate scheme. Would it be possible to fix for this problem? The diff for my quick fix is attached. Best regards, Roman negotiatefilter_example.tar.gz Description: GNU Zip compressed data