Uploaded image for project: 'Axis2-C'
  1. Axis2-C
  2. AXIS2C-1370

Axis should support libcurl's other auth types (not just basic)

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.6.0
    • Fix Version/s: None
    • Component/s: transport/http
    • Labels:

      Description

      Looking over axis2_libcurl_set_auth_options() I see it only allows basic auth.

      if (auth_type &&
      0 == axutil_strcmp(auth_type, AXIS2_HTTP_AUTH_TYPE_BASIC))

      { curl_easy_setopt(handler, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); }

      else

      { /* Uses anonymous connection.*/ }

      If new schemes can be enabled as easily as mapping Axis options to Libcurl, this would appear to be an easy fix. Other supported values to be mapped include:

      CURLAUTH_BASIC

      HTTP Basic authentication. This is the default choice, and the only method that is in wide-spread use and supported virtually everywhere. This is sending the user name and password over the network in plain text, easily captured by others.

      CURLAUTH_DIGEST

      HTTP Digest authentication. Digest authentication is defined in RFC2617 and is a more secure way to do authentication over public networks than the regular old-fashioned Basic method.

      CURLAUTH_GSSNEGOTIATE

      HTTP GSS-Negotiate authentication. The GSS-Negotiate (also known as plain "Negotiate") method was designed by Microsoft and is used in their web applications. It is primarily meant as a support for Kerberos5 authentication but may be also used along with another authentication methods. For more information see IETF draft draft-brezak-spnego-http-04.txt.

      You need to build libcurl with a suitable GSS-API library for this to work.

      CURLAUTH_NTLM

      HTTP NTLM authentication. A proprietary protocol invented and used by Microsoft. It uses a challenge-response and hash concept similar to Digest, to prevent the password from being eavesdropped.

      You need to build libcurl with OpenSSL support for this option to work, or build libcurl on Windows.

      CURLAUTH_ANY

      This is a convenience macro that sets all bits and thus makes libcurl pick any it finds suitable. libcurl will automatically select the one it finds most secure.

      CURLAUTH_ANYSAFE

      This is a convenience macro that sets all bits except Basic and thus makes libcurl pick any it finds suitable. libcurl will automatically select the one it finds most secure.

        Attachments

        1. axis2_libcurl.c.diff
          6 kB
          Incarnadine
        2. axis2c_libcurl_auth_v3.patch
          11 kB
          Alex Mantaut
        3. axis2c_libcurl_auth.patch
          10 kB
          Alex Mantaut
        4. axis2c-1370.diff
          18 kB
          Incarnadine
        5. options.c.diff
          4 kB
          Incarnadine

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                aaron.oneal Incarnadine
              • Votes:
                2 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Time Tracking

                  Estimated:
                  Original Estimate - 2h
                  2h
                  Remaining:
                  Remaining Estimate - 2h
                  2h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified