RFR 8005638: Less secure Authentication schemes should work when more secure schemes are not available
Alan Bateman
Alan.Bateman at oracle.com
Thu Jan 3 04:50:45 PST 2013
On 03/01/2013 12:11, Chris Hegarty wrote:
> With compact profiles imminent, see http://openjdk.java.net/jeps/161,
> more heavy weight HTTP authentication schemes, like NTLM, Kerberos,
> Negotiate, may not be in the smaller profiles. In such cases the HTTP
> client, HttpURLConnection, should use the most secure scheme
> advertised by the server, and also supported by the running JRE. This
> seems to work with Kerberos and Negotiate, but there is an issue with
> NTLM.
>
> http://cr.openjdk.java.net/~chegar/8005638/webrev/
>
> Also, a test to verify this all works as expected has been added. It
> could be cleaned up somewhat when a standard way to determine the
> profile has been added ( but this is not critical ).
>
> -Chris.
Thanks for fixing AuthenticationHeader.
I'm not sure about the test though, it uses the http server API so it's
not going to compile/run on the smaller profile.
We have one test for this area that I just pushed to the jdk8/profiles
forest, that might be useful to cover this scenario:
http://hg.openjdk.java.net/jdk8/profiles/jdk/raw-file/tip/test/sun/net/www/protocol/http/NoNTLM.java
-Alan.
More information about the net-dev
mailing list