Uploaded image for project: 'HttpComponents HttpClient'
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1972

Kerberos/SPNego Negotiate not working correctly?

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Won't Fix
    • 4.5.7
    • None
    • HttpClient (classic)
    • Windows 10, JDK 8 u191

    Description

      I don't understand much of Kerberos/SPNego and how it's implemented, but something seem to be off.

      It's about this method from org.apache.http.impl.auth.GGSSchemeBase:

      @Override
protected void parseChallenge(
        final CharArrayBuffer buffer,
        final int beginIndex, final int endIndex) throws MalformedChallengeException {
    final String challenge = buffer.substringTrimmed(beginIndex, endIndex);
    if (log.isDebugEnabled()) {
        log.debug("Received challenge '" + challenge + "' from the auth server");
    }
    if (state == State.UNINITIATED) {
        token = Base64.decodeBase64(challenge.getBytes());
        state = State.CHALLENGE_RECEIVED;
    } else {
        log.debug("Authentication already attempted");
        state = State.FAILED;
    }
}

      In my case, it's first called for "Negotiate" (without a value) so that challenge is an empty string, resulting in an empty token.

      After that, the method is called a second time for "Negotiate <someBase64String>" but since the state is no longer UNINITIATED , the authentication fails.

      Comparing this to the implementation of org.apache.http.impl.auth.win.WindowsNegotiateScheme:

      @Override
protected void parseChallenge(
        final CharArrayBuffer buffer,
        final int beginIndex,
        final int endIndex) throws MalformedChallengeException {
    this.challenge = buffer.substringTrimmed(beginIndex, endIndex);

    if (this.challenge.isEmpty()) {
        if (clientCred != null) {
            dispose(); // run cleanup first before throwing an exception otherwise can leak OS resources
            if (continueNeeded) {
                throw new RuntimeException("Unexpected token");
            }
        }
    }
}

      Here, there case described above is handled correctly; an empty challenge isn't processed.

      Unfortunately, I can't use WindowsNegotiateScheme as I need to use a keytab file and specify my own user, and I prefer a platform-independent solution anyways.

      Is the first implementation buggy or am I doing something wrong? Is there a way to work around this?

       

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. HTTPCLIENT-1625 Completely overhaul GSS-API-based authentication backend

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              micheljung Michel Jung
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: