RFR 8005638: Less secure Authentication schemes should work when more secure schemes are not available
Chris Hegarty
chris.hegarty at oracle.com
Thu Jan 3 05:35:33 PST 2013
On 03/01/2013 12:50, Alan Bateman wrote:
> On 03/01/2013 12:11, Chris Hegarty wrote:
>> With compact profiles imminent, see http://openjdk.java.net/jeps/161,
>> more heavy weight HTTP authentication schemes, like NTLM, Kerberos,
>> Negotiate, may not be in the smaller profiles. In such cases the HTTP
>> client, HttpURLConnection, should use the most secure scheme
>> advertised by the server, and also supported by the running JRE. This
>> seems to work with Kerberos and Negotiate, but there is an issue with
>> NTLM.
>>
>> http://cr.openjdk.java.net/~chegar/8005638/webrev/
>>
>> Also, a test to verify this all works as expected has been added. It
>> could be cleaned up somewhat when a standard way to determine the
>> profile has been added ( but this is not critical ).
>>
>> -Chris.
> Thanks for fixing AuthenticationHeader.
>
> I'm not sure about the test though, it uses the http server API so it's
> not going to compile/run on the smaller profile.
D'oh, I should have guessed.
> We have one test for this area that I just pushed to the jdk8/profiles
> forest, that might be useful to cover this scenario:
>
> http://hg.openjdk.java.net/jdk8/profiles/jdk/raw-file/tip/test/sun/net/www/protocol/http/NoNTLM.java
Your test looks fine.
We can either leave out a test initially, and push the source change
only. Or I can pull in your test to jdk8 now. I'm ok either way, just
let me know.
-Chris
>
>
> -Alan.
More information about the net-dev
mailing list