Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: Snapshot
    • Fix Version/s: 4.1 Alpha1
    • Component/s: HttpAuth
    • Labels:
      None
    • Environment:
      Operating System: All
      Platform: All

      Description

      Consider integrating the SPNEGO auth scheme from Commons HttpClient contrib package into HttpClient 4.0

      1. submitclient.tar.gz
        7 kB
        Pankaj
      2. SPNEGO.patch
        105 kB
        Matthew Stevenson
      3. SPNEGO_cropped.png
        49 kB
        Matthew Stevenson
      4. KerberosHttpClient.zip
        7 kB
        Matthew Stevenson
      5. httpclient4kerb20090710.zip
        82 kB
        Matthew Stevenson
      6. ExUpdateAndMinorFixes.patch
        4 kB
        Matthew Stevenson
      7. ASF.LICENSE.NOT.GRANTED--run.sh
        0.3 kB
        Mikael Wikström
      8. ASF.LICENSE.NOT.GRANTED--NegotiateScheme.java
        10 kB
        Mikael Wikström
      9. ASF.LICENSE.NOT.GRANTED--NegotiateScheme.java
        10 kB
        Mikael Wikström
      10. ASF.LICENSE.NOT.GRANTED--CustomAuthenticationNegotiateExample.java
        3 kB
        Mikael Wikström
      11. ASF.LICENSE.NOT.GRANTED--CustomAuthenticationNegotiateExample.java
        4 kB
        Mikael Wikström
      12. ASF.LICENSE.NOT.GRANTED--bcsLogin.conf
        0.4 kB
        Mikael Wikström

        Issue Links

          Activity

          Hide
          Oleg Kalnichevski added a comment -

          Use "Create a New Attachment" link

          Show
          Oleg Kalnichevski added a comment - Use "Create a New Attachment" link
          Hide
          Mikael Wikström added a comment -

          Created an attachment (id=16862)
          AuthScheme for SPNEGO auth

          Show
          Mikael Wikström added a comment - Created an attachment (id=16862) AuthScheme for SPNEGO auth
          Hide
          Mikael Wikström added a comment -

          Created an attachment (id=16863)
          Client example file for SPNEGO auth

          Show
          Mikael Wikström added a comment - Created an attachment (id=16863) Client example file for SPNEGO auth
          Hide
          Mikael Wikström added a comment -

          Created an attachment (id=16864)
          Example file to be used with Client Example in a unix env.

          Show
          Mikael Wikström added a comment - Created an attachment (id=16864) Example file to be used with Client Example in a unix env.
          Hide
          Mikael Wikström added a comment -

          Created an attachment (id=16865)
          Example file to be used with Client Example in a unix env.

          May be added into doc.

          Show
          Mikael Wikström added a comment - Created an attachment (id=16865) Example file to be used with Client Example in a unix env. May be added into doc.
          Hide
          Mikael Wikström added a comment -

          Created an attachment (id=16866)
          AuthScheme for SPNEGO auth

          Show
          Mikael Wikström added a comment - Created an attachment (id=16866) AuthScheme for SPNEGO auth
          Hide
          Mikael Wikström added a comment -

          Created an attachment (id=16867)
          Client example file for SPNEGO auth

          Show
          Mikael Wikström added a comment - Created an attachment (id=16867) Client example file for SPNEGO auth
          Hide
          Oleg Kalnichevski added a comment -

          Mikael,
          Please state whether you agree to have these classes released under ASFv2 license

          Oleg

          Show
          Oleg Kalnichevski added a comment - Mikael, Please state whether you agree to have these classes released under ASFv2 license Oleg
          Show
          Mikael Wikström added a comment - use jaas credentials to do Negotiate auth. (useful when dealing with webservices, xml-rpc and axis) references: http://www.ietf.org/internet-drafts/draft-jaganathan-kerberos-http-01.txt http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-2.asp http://www11.informatik.tu-muenchen.de/Java/j2sdkse/guide/security/jgss/tutorials/ClientServer.html
          Hide
          Mikael Wikström added a comment -

          I wrote this code and I agree to have it released under Apache Software License v2

          http://www.apache.org/licenses/LICENSE-2.0.txt

          Mikael Wikström

          Show
          Mikael Wikström added a comment - I wrote this code and I agree to have it released under Apache Software License v2 http://www.apache.org/licenses/LICENSE-2.0.txt Mikael Wikström
          Hide
          Oleg Kalnichevski added a comment -

          Many thanks, Mikael. Your contribution is really appreciated. I'll review your
          code and commit it to SVN trunk sometime after the 3.0 final release (unless
          someone is interested to take this over from me). I'll also make sure your name
          gets added to the list of contributors on our web site

          Oleg

          Show
          Oleg Kalnichevski added a comment - Many thanks, Mikael. Your contribution is really appreciated. I'll review your code and commit it to SVN trunk sometime after the 3.0 final release (unless someone is interested to take this over from me). I'll also make sure your name gets added to the list of contributors on our web site Oleg
          Hide
          Oleg Kalnichevski added a comment -

          Mikael,
          We are ready to start checking in your code into the official SVN repository.
          There's one important issue that needs to be cleared up before we can move on. I
          just realized org.ietf.jgss classes used in your code are Java 1.4 specific.
          This is quite a bit of a problem for us. Do you know if org.ietf.jgss code also
          exists as a standard java extension for older JREs?

          Oleg

          Show
          Oleg Kalnichevski added a comment - Mikael, We are ready to start checking in your code into the official SVN repository. There's one important issue that needs to be cleared up before we can move on. I just realized org.ietf.jgss classes used in your code are Java 1.4 specific. This is quite a bit of a problem for us. Do you know if org.ietf.jgss code also exists as a standard java extension for older JREs? Oleg
          Hide
          Mikael Wikström added a comment -

          The only implementation of org.ietf.jgss that I know of is unfortunately sun's
          jre1.4. Worse yet is that 1.4 only have a limited support for encryption in its
          krb5 implementation. It's limited to DES-CBC-SHA1 and DES-CBC-CRC. Maybe a few
          more but it's very limited. For a more useful implementation one has to use 1.5
          with have support for DES3.

          / Mikael

          Show
          Mikael Wikström added a comment - The only implementation of org.ietf.jgss that I know of is unfortunately sun's jre1.4. Worse yet is that 1.4 only have a limited support for encryption in its krb5 implementation. It's limited to DES-CBC-SHA1 and DES-CBC-CRC. Maybe a few more but it's very limited. For a more useful implementation one has to use 1.5 with have support for DES3. / Mikael
          Hide
          Oleg Kalnichevski added a comment -

          This poses quite a bit of a problem for us, as we have a reqirement of Java 1.2
          compatibility for the HttpClient 3.0 codebase. I am going to start a discussion
          on this issue on the httpclient-dev list. You are very welcome to join

          Oleg

          Show
          Oleg Kalnichevski added a comment - This poses quite a bit of a problem for us, as we have a reqirement of Java 1.2 compatibility for the HttpClient 3.0 codebase. I am going to start a discussion on this issue on the httpclient-dev list. You are very welcome to join Oleg
          Hide
          Oleg Kalnichevski added a comment -

          Code checked in to the contrib package of the HttpClient SVN trunk.

          Many thanks, Mikael. Your name has been added to the list of HttpClient
          contributors.

          Please review the SVN content just in case:

          http://svn.apache.org/repos/asf/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/auth/

          Oleg

          Show
          Oleg Kalnichevski added a comment - Code checked in to the contrib package of the HttpClient SVN trunk. Many thanks, Mikael. Your name has been added to the list of HttpClient contributors. Please review the SVN content just in case: http://svn.apache.org/repos/asf/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/auth/ Oleg
          Hide
          Oleg Kalnichevski added a comment -

          Consider migrating this code to HttpComponents to be released as a part of
          Jakarta HttpClient 4.0

          Show
          Oleg Kalnichevski added a comment - Consider migrating this code to HttpComponents to be released as a part of Jakarta HttpClient 4.0
          Hide
          Padraig O hIceadha added a comment -

          I believe Globus has a fairly complete implmentation of GSSAPI (see http://www.globus.org/cog/distribution/1.1/api/org/globus/gsi/gssapi/Java_GSI_GSSAPI.html)

          org.ietf.jgss.Oid is not completely implemented.

          The RFC describing the Java GSSAPI bindings could be helpful if the Oid implmentation needs improvement (see http://www.ietf.org/internet-drafts/draft-ietf-kitten-rfc2853bis-01.txt)

          As of Globus v 4.0.1 it is licenced under the V2 of the Apache licence (http://www.globus.org/toolkit/legal/4.0/).

          It does use some 3rd party components, I'm not sure if all are Apache licenced

          Show
          Padraig O hIceadha added a comment - I believe Globus has a fairly complete implmentation of GSSAPI (see http://www.globus.org/cog/distribution/1.1/api/org/globus/gsi/gssapi/Java_GSI_GSSAPI.html ) org.ietf.jgss.Oid is not completely implemented. The RFC describing the Java GSSAPI bindings could be helpful if the Oid implmentation needs improvement (see http://www.ietf.org/internet-drafts/draft-ietf-kitten-rfc2853bis-01.txt ) As of Globus v 4.0.1 it is licenced under the V2 of the Apache licence ( http://www.globus.org/toolkit/legal/4.0/ ). It does use some 3rd party components, I'm not sure if all are Apache licenced
          Hide
          Pankaj added a comment -

          Using this code I am prompted for username/password. Is there a way to set it programatically.

          Show
          Pankaj added a comment - Using this code I am prompted for username/password. Is there a way to set it programatically.
          Hide
          Pankaj added a comment -

          Only way to do this is to use JAAS-API to login and the do a subject.doas to do GSS-API(client-server) communication. I have written sample code to do this based on:

          I have also written my CallBackHandler which can be given the username/passowrd and hence there won't be any prompt for username/password.
          Code attached: submitclient.tar.gz

          Show
          Pankaj added a comment - Only way to do this is to use JAAS-API to login and the do a subject.doas to do GSS-API(client-server) communication. I have written sample code to do this based on: I have also written my CallBackHandler which can be given the username/passowrd and hence there won't be any prompt for username/password. Code attached: submitclient.tar.gz
          Hide
          Pankaj added a comment -
          Show
          Pankaj added a comment - Code is based on the foloowing tutorial: http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/ClientServer.html
          Hide
          Oleg Kalnichevski added a comment -

          Mikael,

          Would you be interested in helping us port your code to the 4.0 API, so it could be moved from contrib to HttpClient proper?

          Oleg

          Show
          Oleg Kalnichevski added a comment - Mikael, Would you be interested in helping us port your code to the 4.0 API, so it could be moved from contrib to HttpClient proper? Oleg
          Hide
          Trygve Laugstøl added a comment -

          Is there any hope of getting this into a proper release?

          Show
          Trygve Laugstøl added a comment - Is there any hope of getting this into a proper release?
          Hide
          Oleg Kalnichevski added a comment -

          Not really much, unless someone with a good knowledge of the SPNEGO scheme could give us a helping hand.

          Oleg

          Show
          Oleg Kalnichevski added a comment - Not really much, unless someone with a good knowledge of the SPNEGO scheme could give us a helping hand. Oleg
          Hide
          Trygve Laugstøl added a comment -

          I have a working glassfish which support SPNEGO from [1] and I've tried to get [2] going but that wasn't much good, not yet at least. [2] also has a (seemlingly) complete implementation of SPNEGO which could be used.

          How far off is 4.0? Does 4.0 require jdk 1.4?

          [1]: http://dev.taglab.com/sites/taglab-public/support/spnego.html
          [2]: http://spnego.ocean.net.au/

          Show
          Trygve Laugstøl added a comment - I have a working glassfish which support SPNEGO from [1] and I've tried to get [2] going but that wasn't much good, not yet at least. [2] also has a (seemlingly) complete implementation of SPNEGO which could be used. How far off is 4.0? Does 4.0 require jdk 1.4? [1] : http://dev.taglab.com/sites/taglab-public/support/spnego.html [2] : http://spnego.ocean.net.au/
          Hide
          Oleg Kalnichevski added a comment -

          Trygve,

          HttpClient 4.0 has had four official ALPHAs to this point and is about to go BETA1 (API freeze). Even at this stage it is massively better than HttpClient 3.1. Version 4.0 requires JRE 1.5 or better.

          Take a look at the code written by Mikael Wikström for Httpclient 3.1. I believe it should be in a reasonably good shape.

          Oleg

          Show
          Oleg Kalnichevski added a comment - Trygve, HttpClient 4.0 has had four official ALPHAs to this point and is about to go BETA1 (API freeze). Even at this stage it is massively better than HttpClient 3.1. Version 4.0 requires JRE 1.5 or better. Take a look at the code written by Mikael Wikström for Httpclient 3.1. I believe it should be in a reasonably good shape. Oleg
          Hide
          Oleg Kalnichevski added a comment -

          Since no one appears interested in working on this one, changing fix version for this issue to FUTURE

          Oleg

          Show
          Oleg Kalnichevski added a comment - Since no one appears interested in working on this one, changing fix version for this issue to FUTURE Oleg
          Hide
          Marko Asplund added a comment -

          I think SPNEGO support would be a very important thing to have in order to be able to talk to Windows based servers. I'm currently trying to integrate a Java based web application with Microsoft Sharepoint server and authentication has proven to be the trickiest part. HttpClient 3.1 only seems to support NTLM v1 which is not enabled by default on Windows servers and administrators don't usually allow using it.

          NTLM autentication works well with HttpClient 4.0 + JCIFS but in many cases SPNEGO / Kerberos would be much better choice due because many Windows server administrators prefer that nowadays and because of features such as credential delegation that are extremely useful in many web applications.

          Show
          Marko Asplund added a comment - I think SPNEGO support would be a very important thing to have in order to be able to talk to Windows based servers. I'm currently trying to integrate a Java based web application with Microsoft Sharepoint server and authentication has proven to be the trickiest part. HttpClient 3.1 only seems to support NTLM v1 which is not enabled by default on Windows servers and administrators don't usually allow using it. NTLM autentication works well with HttpClient 4.0 + JCIFS but in many cases SPNEGO / Kerberos would be much better choice due because many Windows server administrators prefer that nowadays and because of features such as credential delegation that are extremely useful in many web applications.
          Hide
          Oleg Kalnichevski added a comment -

          Marko
          There is currently nobody both capable AND willing to support SPNEGO in HttpClient. It is pretty much pointless to include additional features we are not able to adequately support. I am, for one, pretty happy we are no longer maintaining our own NTLM engine.

          Oleg

          Show
          Oleg Kalnichevski added a comment - Marko There is currently nobody both capable AND willing to support SPNEGO in HttpClient. It is pretty much pointless to include additional features we are not able to adequately support. I am, for one, pretty happy we are no longer maintaining our own NTLM engine. Oleg
          Hide
          Matthew Stevenson added a comment -

          I just happened to have to get Kerberos and HTTPClient 4 working for a demo.

          Attached is the required code (KerberosHttpClient.zip), it requires JRE >= 1.5.08 (SPNEGO added). It is an update of HTTPClient 3 code contributed by Mikael Wikström. It has been tested on WinXP/JRE1.6.04 against IIS7.

          Regards
          Matt

          Show
          Matthew Stevenson added a comment - I just happened to have to get Kerberos and HTTPClient 4 working for a demo. Attached is the required code (KerberosHttpClient.zip), it requires JRE >= 1.5.08 (SPNEGO added). It is an update of HTTPClient 3 code contributed by Mikael Wikström. It has been tested on WinXP/JRE1.6.04 against IIS7. Regards Matt
          Hide
          Zhiyong Li added a comment -

          I tried to run Matt's example against Jboss (4.2.0 with its SPNEGO support package). However, it does not give me the succeful result. The last couple of lines are as follows:

          46670 [main] DEBUG org.apache.http.wire - << "HTTP/1.1 200 OK[EOL]"
          46670 [main] DEBUG org.apache.http.wire - << "Server: Apache-Coyote/1.1[EOL]"
          46670 [main] DEBUG org.apache.http.wire - << "Pragma: No-cache[EOL]"
          46670 [main] DEBUG org.apache.http.wire - << "Cache-Control: no-cache[EOL]"
          46670 [main] DEBUG org.apache.http.wire - << "Expires: Wed, 31 Dec 1969 19:00:00 EST[EOL]"
          46670 [main] DEBUG org.apache.http.wire - << "Set-Cookie: JSESSIONID=EB8B50DFCEE15A45E1D6FC1F20303B
          93; Path=/[EOL]"
          46670 [main] DEBUG org.apache.http.wire - << "Transfer-Encoding: chunked[EOL]"
          46670 [main] DEBUG org.apache.http.wire - << "Date: Wed, 10 Jun 2009 14:49:52 GMT[EOL]"
          46670 [main] DEBUG org.apache.http.headers - << HTTP/1.1 200 OK
          46670 [main] DEBUG org.apache.http.headers - << Server: Apache-Coyote/1.1
          46670 [main] DEBUG org.apache.http.headers - << Pragma: No-cache
          46670 [main] DEBUG org.apache.http.headers - << Cache-Control: no-cache
          46670 [main] DEBUG org.apache.http.headers - << Expires: Wed, 31 Dec 1969 19:00:00 EST
          46670 [main] DEBUG org.apache.http.headers - << Set-Cookie: JSESSIONID=EB8B50DFCEE15A45E1D6FC1F2030
          3B93; Path=/
          46670 [main] DEBUG org.apache.http.headers - << Transfer-Encoding: chunked
          46670 [main] DEBUG org.apache.http.headers - << Date: Wed, 10 Jun 2009 14:49:52 GMT
          46686 [main] DEBUG org.apache.http.client.protocol.ResponseProcessCookies - Cookie accepted: "[vers
          ion: 0][name: JSESSIONID][value: EB8B50DFCEE15A45E1D6FC1F20303B93][domain: windowpain][path: /][expi
          ry: null]".
          46686 [main] DEBUG org.apache.http.impl.client.DefaultRequestDirector - Connection can be kept aliv
          e for -1 ms
          46686 [main] DEBUG org.apache.http.impl.auth.NegotiateScheme - enter isComplete()
          ----------------------------------------
          Response content length: -1
          46702 [main] DEBUG org.apache.http.wire - << "0[EOL]"
          46702 [main] DEBUG org.apache.http.impl.conn.SingleClientConnManager - Releasing connection org.apa
          che.http.impl.conn.SingleClientConnManager$ConnAdapter@37fb1e

          On the Jboss side, I noticed that there is a piece of code of decoding NogToken and that failed since the "sequence type" (48) in the auth token is beyong what is expected.

          Any suggestions?

          Zhiyong

          Show
          Zhiyong Li added a comment - I tried to run Matt's example against Jboss (4.2.0 with its SPNEGO support package). However, it does not give me the succeful result. The last couple of lines are as follows: 46670 [main] DEBUG org.apache.http.wire - << "HTTP/1.1 200 OK [EOL] " 46670 [main] DEBUG org.apache.http.wire - << "Server: Apache-Coyote/1.1 [EOL] " 46670 [main] DEBUG org.apache.http.wire - << "Pragma: No-cache [EOL] " 46670 [main] DEBUG org.apache.http.wire - << "Cache-Control: no-cache [EOL] " 46670 [main] DEBUG org.apache.http.wire - << "Expires: Wed, 31 Dec 1969 19:00:00 EST [EOL] " 46670 [main] DEBUG org.apache.http.wire - << "Set-Cookie: JSESSIONID=EB8B50DFCEE15A45E1D6FC1F20303B 93; Path=/ [EOL] " 46670 [main] DEBUG org.apache.http.wire - << "Transfer-Encoding: chunked [EOL] " 46670 [main] DEBUG org.apache.http.wire - << "Date: Wed, 10 Jun 2009 14:49:52 GMT [EOL] " 46670 [main] DEBUG org.apache.http.headers - << HTTP/1.1 200 OK 46670 [main] DEBUG org.apache.http.headers - << Server: Apache-Coyote/1.1 46670 [main] DEBUG org.apache.http.headers - << Pragma: No-cache 46670 [main] DEBUG org.apache.http.headers - << Cache-Control: no-cache 46670 [main] DEBUG org.apache.http.headers - << Expires: Wed, 31 Dec 1969 19:00:00 EST 46670 [main] DEBUG org.apache.http.headers - << Set-Cookie: JSESSIONID=EB8B50DFCEE15A45E1D6FC1F2030 3B93; Path=/ 46670 [main] DEBUG org.apache.http.headers - << Transfer-Encoding: chunked 46670 [main] DEBUG org.apache.http.headers - << Date: Wed, 10 Jun 2009 14:49:52 GMT 46686 [main] DEBUG org.apache.http.client.protocol.ResponseProcessCookies - Cookie accepted: "[vers ion: 0] [name: JSESSIONID] [value: EB8B50DFCEE15A45E1D6FC1F20303B93] [domain: windowpain] [path: /] [expi ry: null]". 46686 [main] DEBUG org.apache.http.impl.client.DefaultRequestDirector - Connection can be kept aliv e for -1 ms 46686 [main] DEBUG org.apache.http.impl.auth.NegotiateScheme - enter isComplete() ---------------------------------------- Response content length: -1 46702 [main] DEBUG org.apache.http.wire - << "0 [EOL] " 46702 [main] DEBUG org.apache.http.impl.conn.SingleClientConnManager - Releasing connection org.apa che.http.impl.conn.SingleClientConnManager$ConnAdapter@37fb1e On the Jboss side, I noticed that there is a piece of code of decoding NogToken and that failed since the "sequence type" (48) in the auth token is beyong what is expected. Any suggestions? Zhiyong
          Hide
          Oleg Kalnichevski added a comment -

          @Matthew

          If enough users can confirm the code works as advertised, it could be included in the official distribution of HttpClient 4.1

          Oleg

          Show
          Oleg Kalnichevski added a comment - @Matthew If enough users can confirm the code works as advertised, it could be included in the official distribution of HttpClient 4.1 Oleg
          Hide
          Matthew Stevenson added a comment -

          @Zhiyong

          That looks like an issue with the jboss implementation. I added some debugging and got the same issue will IE and HTTPClient. Jboss does it's own ASN1 decoding, I'll have to look into it a little more.

          Show
          Matthew Stevenson added a comment - @Zhiyong That looks like an issue with the jboss implementation. I added some debugging and got the same issue will IE and HTTPClient. Jboss does it's own ASN1 decoding, I'll have to look into it a little more.
          Hide
          Matthew Stevenson added a comment -

          Below should work with Jboss Negotiation package with jdk 1.6. IIS7 works with Kerberos v5 Oid, Jboss does not. Not sure about other implementations. Would be nice if SPNEGO was back ported to 1.5 but not going to happen.

          protected void init(String server) throws GSSException {
          LOG.debug("init " + server);
          /* Kerberos v5 GSS-API mechanism defined in RFC 1964.*/
          // Oid krb5Oid = new Oid("1.2.840.113554.1.2.2");

          /* Using the SPNEGO OID seems to be the correct method.

          String javaVersion = System.getProperty("java.runtime.version");
          LOG.debug("System.getProperty(\"java.runtime.version\") = " + javaVersion);
          Oid negotiationOid = null;
          if( javaVersion.matches("1
          .6.*") )

          { LOG.debug("Using SPNEGO OID"); negotiationOid = new Oid("1.3.6.1.5.5.2"); }

          else

          { LOG.debug("Using Kerberos OID"); negotiationOid = new Oid("1.2.840.113554.1.2.2"); }

          GSSManager manager = GSSManager.getInstance();
          GSSName serverName = manager.createName("HTTP/"+server, null);
          context = manager.createContext( serverName.canonicalize(negotiationOid),
          negotiationOid, null,
          GSSContext.DEFAULT_LIFETIME);
          context.requestMutualAuth(true);
          context.requestCredDeleg(true);
          state = INITIATED;
          }

          Show
          Matthew Stevenson added a comment - Below should work with Jboss Negotiation package with jdk 1.6. IIS7 works with Kerberos v5 Oid, Jboss does not. Not sure about other implementations. Would be nice if SPNEGO was back ported to 1.5 but not going to happen. protected void init(String server) throws GSSException { LOG.debug("init " + server); /* Kerberos v5 GSS-API mechanism defined in RFC 1964.*/ // Oid krb5Oid = new Oid("1.2.840.113554.1.2.2"); /* Using the SPNEGO OID seems to be the correct method. Above Kerberos v5 works for IIS but not JBoss. Unwrapping the initial token when using SPNEGO OID looks like what is described here... * http://msdn.microsoft.com/en-us/library/ms995330.aspx * Another helpful URL... * http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_token.html * Unfortunately SPNEGO is JRE >=1.6. */ String javaVersion = System.getProperty("java.runtime.version"); LOG.debug("System.getProperty(\"java.runtime.version\") = " + javaVersion); Oid negotiationOid = null; if( javaVersion.matches("1 .6.*") ) { LOG.debug("Using SPNEGO OID"); negotiationOid = new Oid("1.3.6.1.5.5.2"); } else { LOG.debug("Using Kerberos OID"); negotiationOid = new Oid("1.2.840.113554.1.2.2"); } GSSManager manager = GSSManager.getInstance(); GSSName serverName = manager.createName("HTTP/"+server, null); context = manager.createContext( serverName.canonicalize(negotiationOid), negotiationOid, null, GSSContext.DEFAULT_LIFETIME); context.requestMutualAuth(true); context.requestCredDeleg(true); state = INITIATED; }
          Hide
          Marko Asplund added a comment -

          Matt,

          Thanks for sharing the code!

          Does the patch support Kerberos credential delegation?

          Show
          Marko Asplund added a comment - Matt, Thanks for sharing the code! Does the patch support Kerberos credential delegation?
          Hide
          Oleg Kalnichevski added a comment -

          @Matthew

          If you can contribute a section on SPNEGO authentication to the HttpClient tutorial, I'll commit your code to the official 4.1 branch of HttpClient

          http://wiki.apache.org/HttpComponents/HttpClientTutorial

          Oleg

          Show
          Oleg Kalnichevski added a comment - @Matthew If you can contribute a section on SPNEGO authentication to the HttpClient tutorial, I'll commit your code to the official 4.1 branch of HttpClient http://wiki.apache.org/HttpComponents/HttpClientTutorial Oleg
          Hide
          Matthew Stevenson added a comment -

          @Marko

          It should support credential delegation however I haven't tested it. Hopefully you can, I'm not sure I'll have a chance for a while.

          @Oleg

          I'll put somethiing together.

          Matt

          Show
          Matthew Stevenson added a comment - @Marko It should support credential delegation however I haven't tested it. Hopefully you can, I'm not sure I'll have a chance for a while. @Oleg I'll put somethiing together. Matt
          Hide
          Matthew Stevenson added a comment -

          Updated Kerberos/SPNEGO files.

          Show
          Matthew Stevenson added a comment - Updated Kerberos/SPNEGO files.
          Hide
          Matthew Stevenson added a comment - - edited

          The updated file contains a frist run at documentation. I'll fix them up a little but running short of time at the moment.

          I've also added a SPNEGO wrapping option for java 1.5. This allows the use of Jboss + JbossNegotiate with java 1.5. It does require external classes (http://www.bouncycastle.org/java.html) so it's done via an interface and optional class. It shouldn't be hard to do the wrapping by hand to avoid using bouncycastle, but probably easier just to jump to java 1.6.

          I've done a little testing mainly with Java 1.5/1.6 and Jboss/IIS7.

          Regards
          Matt

          Show
          Matthew Stevenson added a comment - - edited The updated file contains a frist run at documentation. I'll fix them up a little but running short of time at the moment. I've also added a SPNEGO wrapping option for java 1.5. This allows the use of Jboss + JbossNegotiate with java 1.5. It does require external classes ( http://www.bouncycastle.org/java.html ) so it's done via an interface and optional class. It shouldn't be hard to do the wrapping by hand to avoid using bouncycastle, but probably easier just to jump to java 1.6. I've done a little testing mainly with Java 1.5/1.6 and Jboss/IIS7. Regards Matt
          Hide
          Oleg Kalnichevski added a comment -

          Matthew,

          Things are shaping up pretty good. However, ideally I would like to have a few fairly minor points addressed before I go ahead and commit the code to the official repository.

          (1) What is the reason for using mutable static variables (STRIPPORT, SPNEGOCREATE, SpengoGenerator)? Could you please consider changing those variables into regular instance variables?

          (2) Ideally I would prefer to have the SPNEGO documentation converted to the docbkx format and if possible integrated into the HttpClient tutorial [1]

          Oleg

          [1] http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/src/docbkx/

          Show
          Oleg Kalnichevski added a comment - Matthew, Things are shaping up pretty good. However, ideally I would like to have a few fairly minor points addressed before I go ahead and commit the code to the official repository. (1) What is the reason for using mutable static variables (STRIPPORT, SPNEGOCREATE, SpengoGenerator)? Could you please consider changing those variables into regular instance variables? (2) Ideally I would prefer to have the SPNEGO documentation converted to the docbkx format and if possible integrated into the HttpClient tutorial [1] Oleg [1] http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/src/docbkx/
          Hide
          Zhiyong Li added a comment -

          I tried to use Matthew's 22/Jun/09 code of "protected void init(String server) throws GSSException". It gets me further, but I am still getting the following exception. I also have a sample which uses Java 6 HTTP/SPNEGO implementation, that one works fine. I noticed that for the success code, UDP is used instead of TCP, for example: kdc=bcidcvm01.bci.sas.com UDP:88. Can someone explain this and also can I configure httpclient to use UDP?

          Found ticket for wrsadm@BCI.SAS.COM to go to krbtgt/BCI.SAS.COM@BCI.SAS.COM expiring on Wed Sep 02 2
          1:46:08 EDT 2009
          Entered Krb5Context.initSecContext with state=STATE_NEW
          Service ticket not found in the subject
          >>> Credentials acquireServiceCreds: same realm
          default etypes for default_tgs_enctypes: 3 23.
          >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
          >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
          >>> KrbKdcReq send: kdc=bcidcvm01.bci.sas.com TCP:88, timeout=30000, number of retries =3, #bytes=12
          30
          >>>DEBUG: TCPClient reading 108 bytes
          >>> KrbKdcReq send: #bytes read=108
          >>> KrbKdcReq send: #bytes read=108
          >>> KDCRep: init() encoding tag is 126 req type is 13
          >>>KRBError:
          sTime is Wed Sep 02 17:03:11 EDT 2009 1251925391000
          suSec is 381067
          error code is 7
          error Message is Server not found in Kerberos database
          realm is BCI.SAS.COM
          sname is HTTP/WINDOWPAIN.bci.sas.com:8080
          msgType is 30
          KrbException: Server not found in Kerberos database (7)
          at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
          at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
          at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
          at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
          at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:562)
          at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
          at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
          at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
          at org.apache.http.impl.auth.NegotiateScheme.authenticate(NegotiateScheme.java:152)
          at org.apache.http.client.protocol.RequestTargetAuthentication.process(RequestTargetAuthenti
          cation.java:101)
          at org.apache.http.protocol.BasicHttpProcessor.process(BasicHttpProcessor.java:251)
          at org.apache.http.protocol.HttpRequestExecutor.preProcess(HttpRequestExecutor.java:168)
          at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:39
          3)
          at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
          at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
          at org.apache.http.examples.client.KerberosHttpClient.main(KerberosHttpClient.java:124)
          Caused by: KrbException: Identifier doesn't match expected value (906)
          at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
          at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
          at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
          at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
          ... 15 more

          Show
          Zhiyong Li added a comment - I tried to use Matthew's 22/Jun/09 code of "protected void init(String server) throws GSSException". It gets me further, but I am still getting the following exception. I also have a sample which uses Java 6 HTTP/SPNEGO implementation, that one works fine. I noticed that for the success code, UDP is used instead of TCP, for example: kdc=bcidcvm01.bci.sas.com UDP:88. Can someone explain this and also can I configure httpclient to use UDP? Found ticket for wrsadm@BCI.SAS.COM to go to krbtgt/BCI.SAS.COM@BCI.SAS.COM expiring on Wed Sep 02 2 1:46:08 EDT 2009 Entered Krb5Context.initSecContext with state=STATE_NEW Service ticket not found in the subject >>> Credentials acquireServiceCreds: same realm default etypes for default_tgs_enctypes: 3 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType >>> KrbKdcReq send: kdc=bcidcvm01.bci.sas.com TCP:88, timeout=30000, number of retries =3, #bytes=12 30 >>>DEBUG: TCPClient reading 108 bytes >>> KrbKdcReq send: #bytes read=108 >>> KrbKdcReq send: #bytes read=108 >>> KDCRep: init() encoding tag is 126 req type is 13 >>>KRBError: sTime is Wed Sep 02 17:03:11 EDT 2009 1251925391000 suSec is 381067 error code is 7 error Message is Server not found in Kerberos database realm is BCI.SAS.COM sname is HTTP/WINDOWPAIN.bci.sas.com:8080 msgType is 30 KrbException: Server not found in Kerberos database (7) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106) at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:562) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162) at org.apache.http.impl.auth.NegotiateScheme.authenticate(NegotiateScheme.java:152) at org.apache.http.client.protocol.RequestTargetAuthentication.process(RequestTargetAuthenti cation.java:101) at org.apache.http.protocol.BasicHttpProcessor.process(BasicHttpProcessor.java:251) at org.apache.http.protocol.HttpRequestExecutor.preProcess(HttpRequestExecutor.java:168) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:39 3) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487) at org.apache.http.examples.client.KerberosHttpClient.main(KerberosHttpClient.java:124) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58) at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46) ... 15 more
          Hide
          Zhiyong Li added a comment -

          It is not UDP vs TCP issue. I have to uncomment: NegotiateScheme.setSTRIPPORT(true);

          Thanks.

          Show
          Zhiyong Li added a comment - It is not UDP vs TCP issue. I have to uncomment: NegotiateScheme.setSTRIPPORT(true); Thanks.
          Hide
          Zhiyong Li added a comment -

          I tried Mikael Wikström's HttpClient 3.x code such as CustomAuthenticationNegotiateExample.java. It works fine for me. However, when I changed the following line:

          GetMethod httpget = new GetMethod(args[0]);

          To
          PostMethod httpget = new PostMethod(args[0]);

          I am getting the error: HTTP/1.1 302 Moved Temporarily.

          Can anyone let me know why I can not use PostMethod in this case? I am trying to use this with Spring HttpInvoker, which only supports "Post". Thus, I need to get "Post" to work.

          Thanks.

          Show
          Zhiyong Li added a comment - I tried Mikael Wikström's HttpClient 3.x code such as CustomAuthenticationNegotiateExample.java. It works fine for me. However, when I changed the following line: GetMethod httpget = new GetMethod(args [0] ); To PostMethod httpget = new PostMethod(args [0] ); I am getting the error: HTTP/1.1 302 Moved Temporarily. Can anyone let me know why I can not use PostMethod in this case? I am trying to use this with Spring HttpInvoker, which only supports "Post". Thus, I need to get "Post" to work. Thanks.
          Hide
          Matthew Stevenson added a comment -

          The SPNEGO.patch should apply to the trunk. There is a small amount of changes. The biggest one is moving the setup into the factory class and removing the class variables. I think it resolves Olegs questions.

          The documentation is in the correct format and is pushed onto the end of the authentication section.

          The png is an export from the svg.

          Zhiyong - Please use this code if you can, what happens if you do? I force TCP via krb5.conf, the
          "udp_preference_limit = 1" line. As I was testing against AD and have a large number of AD groups TCP is was normally required (AD groups are in the kerberos packets).

          [libdefaults]
          default_realm = AD.EXAMPLE.NET
          udp_preference_limit = 1
          .
          .
          .
          [

          Show
          Matthew Stevenson added a comment - The SPNEGO.patch should apply to the trunk. There is a small amount of changes. The biggest one is moving the setup into the factory class and removing the class variables. I think it resolves Olegs questions. The documentation is in the correct format and is pushed onto the end of the authentication section. The png is an export from the svg. Zhiyong - Please use this code if you can, what happens if you do? I force TCP via krb5.conf, the "udp_preference_limit = 1" line. As I was testing against AD and have a large number of AD groups TCP is was normally required (AD groups are in the kerberos packets). [libdefaults] default_realm = AD.EXAMPLE.NET udp_preference_limit = 1 . . . [
          Hide
          Zhiyong Li added a comment -

          Matt, Thank you for your response to my question dated on 09/02/2009. I have the TCP or UDP problem resolved. I am still hoping someone can answer my question related with GetMethod and PostMethod.

          Show
          Zhiyong Li added a comment - Matt, Thank you for your response to my question dated on 09/02/2009. I have the TCP or UDP problem resolved. I am still hoping someone can answer my question related with GetMethod and PostMethod.
          Hide
          Oleg Kalnichevski added a comment -

          Matthew,

          I committed your patch with some minor changes to the SVN head. Please review / double-check

          http://svn.apache.org/viewvc?view=rev&revision=814311

          A few notes:

          (1) I copied content of krb5.conf and login.conf files to the ClientKerberosAuthentication sample to make it self-contained. Ideally the example should have a little more documentation in the javadocs. Please consider putting some more work into it.

          (2) We cannot have dependencies on external libraries such as BouncyCastle JCE implementation in examples. Ideally sample files should be functional with the standard set of dependencies. Worst case I would rather have that example require Java 1.6 to run as long as it complies with Java 1.5 and the runtime dependency on 1.6 is clearly documented in the javadocs

          (3) I moved BouncySpnegoTokenGenerator class to the contrib (unsupported) area for the reason given above:
          http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/contrib/org/apache/http/contrib/auth/BouncySpnegoTokenGenerator.java

          Many thanks for this contribution. I am sure quite a few people are going to be quite happy about it!

          I'll close this issue as resolved as soon as the BouncyCastle dependency issue is sorted out and the tutorial content is brushed up a little.

          Oleg

          Show
          Oleg Kalnichevski added a comment - Matthew, I committed your patch with some minor changes to the SVN head. Please review / double-check http://svn.apache.org/viewvc?view=rev&revision=814311 A few notes: (1) I copied content of krb5.conf and login.conf files to the ClientKerberosAuthentication sample to make it self-contained. Ideally the example should have a little more documentation in the javadocs. Please consider putting some more work into it. (2) We cannot have dependencies on external libraries such as BouncyCastle JCE implementation in examples. Ideally sample files should be functional with the standard set of dependencies. Worst case I would rather have that example require Java 1.6 to run as long as it complies with Java 1.5 and the runtime dependency on 1.6 is clearly documented in the javadocs (3) I moved BouncySpnegoTokenGenerator class to the contrib (unsupported) area for the reason given above: http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/contrib/org/apache/http/contrib/auth/BouncySpnegoTokenGenerator.java Many thanks for this contribution. I am sure quite a few people are going to be quite happy about it! I'll close this issue as resolved as soon as the BouncyCastle dependency issue is sorted out and the tutorial content is brushed up a little. Oleg
          Hide
          Matthew Stevenson added a comment -

          @Oleg

          ExUpdateAndMinorFixes.patch adds some comments (a start) to the example. Also fixes the factory class to actually pass on the settings.

          For 2&3) Thats fine. contrib is the place for the Bouncy class. It is really a basic example to show it can be done. I'm not sure you need to do anything else here?

          @Zhiyong

          I tried with a POST against IIS7 using trunk and it seemed to worked fine (405 method not supported after access allowed). Could you use trunk and test with that. I don't have experience with 3 and I believe it is quite different.

          Show
          Matthew Stevenson added a comment - @Oleg ExUpdateAndMinorFixes.patch adds some comments (a start) to the example. Also fixes the factory class to actually pass on the settings. For 2&3) Thats fine. contrib is the place for the Bouncy class. It is really a basic example to show it can be done. I'm not sure you need to do anything else here? @Zhiyong I tried with a POST against IIS7 using trunk and it seemed to worked fine (405 method not supported after access allowed). Could you use trunk and test with that. I don't have experience with 3 and I believe it is quite different.
          Hide
          Oleg Kalnichevski added a comment -

          Matthew,

          I checked the patch in. As soon as you tell me you are through with your work, I'll put some final touches on the sample code and tutorial and close the issue.

          Oleg

          Show
          Oleg Kalnichevski added a comment - Matthew, I checked the patch in. As soon as you tell me you are through with your work, I'll put some final touches on the sample code and tutorial and close the issue. Oleg
          Hide
          Oleg Kalnichevski added a comment -

          Matthew,

          Both the Kerberos example and the tutorial refer to something called JbossNegotiate, which I believe does not exist in the official repository. Could you please fix that?

          Oleg

          Show
          Oleg Kalnichevski added a comment - Matthew, Both the Kerberos example and the tutorial refer to something called JbossNegotiate, which I believe does not exist in the official repository. Could you please fix that? Oleg
          Hide
          Matthew Stevenson added a comment -

          JbossNegotiation is a SPNEGO auth handler for JBoss/Tomcat http://www.jboss.org/index.html?module=bb&op=viewtopic&t=149589 . It's referenced as I used it to test against as well as IIS7. Its worth while to keep in?

          Show
          Matthew Stevenson added a comment - JbossNegotiation is a SPNEGO auth handler for JBoss/Tomcat http://www.jboss.org/index.html?module=bb&op=viewtopic&t=149589 . It's referenced as I used it to test against as well as IIS7. Its worth while to keep in?
          Hide
          Matthew Stevenson added a comment -

          Also I noticed that SPNEGO_cropped.png wasn't added to the docbkx/resources/images directory and

          <mediaobject>
          <imageobject>
          <imagedata fileref=".//images/SPNEGO_cropped.png" />
          </imageobject>
          </mediaobject>

          was removed from the first SPNEGO section.

          Show
          Matthew Stevenson added a comment - Also I noticed that SPNEGO_cropped.png wasn't added to the docbkx/resources/images directory and <mediaobject> <imageobject> <imagedata fileref=".//images/SPNEGO_cropped.png" /> </imageobject> </mediaobject> was removed from the first SPNEGO section.
          Hide
          Oleg Kalnichevski added a comment -

          > JbossNegotiation is a SPNEGO auth handler for JBoss/Tomcat

          I see. We should be referring to it as JBoss Negotiation, not JbossNegotiate, to avoid confusion.

          > It's referenced as I used it to test against as well as IIS7. Its worth while to keep in?

          I think it is.

          > Also I noticed that SPNEGO_cropped.png wasn't added to the docbkx/resources/images directory

          Unless you are the author of that picture, we should not include content whose origin and licensing terms are known or not specified. I think the SPNEGO description is perfectly fine even without the image.

          Oleg

          Show
          Oleg Kalnichevski added a comment - > JbossNegotiation is a SPNEGO auth handler for JBoss/Tomcat I see. We should be referring to it as JBoss Negotiation, not JbossNegotiate, to avoid confusion. > It's referenced as I used it to test against as well as IIS7. Its worth while to keep in? I think it is. > Also I noticed that SPNEGO_cropped.png wasn't added to the docbkx/resources/images directory Unless you are the author of that picture, we should not include content whose origin and licensing terms are known or not specified. I think the SPNEGO description is perfectly fine even without the image. Oleg
          Hide
          Matthew Stevenson added a comment -

          Not sure if you fixed any but I only found the one instance of JbossNegotiate. Patch to fix below.

          I drew the diagram using gliffy.

          Index: src/docbkx/authentication.xml
          ===================================================================
          — src/docbkx/authentication.xml (revision 822859)
          +++ src/docbkx/authentication.xml (working copy)
          @@ -454,7 +454,7 @@
          <section>
          <title><literal>login.conf</literal> file</title>
          <para>The following configuration is a basic setup that works in Windows XP against both

          • <literal>IIS7</literal> and <literal>JbossNegotiate</literal> modules.</para>
            + <literal>IIS7</literal> and <literal>JBoss Negotiation</literal> modules.</para>
            <para>The system property <literal>java.security.auth.login.config</literal> can be use
            to point at the <literal>login.conf</literal> file.</para>
            <para><literal>login.conf</literal> content may look like the following:</para>
          Show
          Matthew Stevenson added a comment - Not sure if you fixed any but I only found the one instance of JbossNegotiate. Patch to fix below. I drew the diagram using gliffy. Index: src/docbkx/authentication.xml =================================================================== — src/docbkx/authentication.xml (revision 822859) +++ src/docbkx/authentication.xml (working copy) @@ -454,7 +454,7 @@ <section> <title><literal>login.conf</literal> file</title> <para>The following configuration is a basic setup that works in Windows XP against both <literal>IIS7</literal> and <literal>JbossNegotiate</literal> modules.</para> + <literal>IIS7</literal> and <literal>JBoss Negotiation</literal> modules.</para> <para>The system property <literal>java.security.auth.login.config</literal> can be use to point at the <literal>login.conf</literal> file.</para> <para><literal>login.conf</literal> content may look like the following:</para>
          Hide
          Oleg Kalnichevski added a comment -
          • Removed superfluous SpnegoCreate flag
          • Finalized SPNEGO example and tutorial

          Oleg

          Show
          Oleg Kalnichevski added a comment - Removed superfluous SpnegoCreate flag Finalized SPNEGO example and tutorial Oleg
          Hide
          Dave Whitla added a comment -

          Hi all,

          I authored httpclient-auth-spnego (in April 2007) and the SPNego module for Glassfish and am kinda surprised that noone emailed me on this. I understand a lot of users make use of httpclient-auth-spnego in testing their SPNego enabled servers and would like the work not to have been duplicated.

          Dave

          Show
          Dave Whitla added a comment - Hi all, I authored httpclient-auth-spnego (in April 2007) and the SPNego module for Glassfish and am kinda surprised that noone emailed me on this. I understand a lot of users make use of httpclient-auth-spnego in testing their SPNego enabled servers and would like the work not to have been duplicated. Dave
          Hide
          Oleg Kalnichevski added a comment -

          Dave,

          I was simply not aware of your work on SPNEGO support for HttpClient 3.x. You should have let us know about it.

          Anyhow, support for SPNEGO in HttpClient 4.0 is still very much work in progress. If you are willing to port your code to 4.0 API and license in under ASLv2 we would be happy to incorporate it into the official HttpClient code base.

          Cheers

          Oleg

          Show
          Oleg Kalnichevski added a comment - Dave, I was simply not aware of your work on SPNEGO support for HttpClient 3.x. You should have let us know about it. Anyhow, support for SPNEGO in HttpClient 4.0 is still very much work in progress. If you are willing to port your code to 4.0 API and license in under ASLv2 we would be happy to incorporate it into the official HttpClient code base. Cheers Oleg
          Hide
          Dave Whitla added a comment -

          I'll check out and take a look. I actually only found this JIRA issue because someone at work was looking for a SPNEGO enabled client library and was also unaware of my 3.x add-on. So we will be able to drive some improvement by our own requirements.

          ASLv2 is fine.

          Dave

          Show
          Dave Whitla added a comment - I'll check out and take a look. I actually only found this JIRA issue because someone at work was looking for a SPNEGO enabled client library and was also unaware of my 3.x add-on. So we will be able to drive some improvement by our own requirements. ASLv2 is fine. Dave
          Hide
          daniel winz added a comment -

          Hello all,

          can somebody provide an example for delegation? Or tell what I have to configure to enable delegation.

          Thank you
          Daniel

          Show
          daniel winz added a comment - Hello all, can somebody provide an example for delegation? Or tell what I have to configure to enable delegation. Thank you Daniel

            People

            • Assignee:
              Unassigned
              Reporter:
              Mikael Wikström
            • Votes:
              4 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development