[9] RFR 8138953: HttpURLConnection doesn't fallback to another auth scheme if negotiate process failed
Seán Coffey
sean.coffey at oracle.com
Wed Oct 7 14:28:57 UTC 2015
Thanks for handling Artem. I'll leave the main review to someone more
knowledgeable with http authentication schemes but can I suggest that
your print the AuthenticationHeader.authPref string out with the
"Negotiate process failed, fallback" logger message. It's a useful
variable to capture.
Regards,
Sean.
On 07/10/2015 12:19, Artem Smotrakov wrote:
> Hello,
>
> Please review this for 9.
>
> According to [1], an HTTP client should try to use another HTTP
> authentication scheme if negotiate process failed for some reason, and
> a user didn't specify SPNEGO or Kerberos in "http.auth.preference"
> system property. But no fallback happens if, for example:
> - an HTTP server supports both Negotiate (via Kerberos) and Basic
> authentication schemes
> - first, a user provides correct Kerberos credentials, and a
> connection is successfully established with Negotiate scheme
> - then, a user provides wrong Kerberos credentials, but correct Basic
> credentials
>
> This fix updates HttpURLConnection to try another authentication
> scheme negotiate process failed, and SPNEGO and Kerberos schemes are
> not preferred. The fix may be shorter, for example:
>
> if ( serverAuthentication != null || inNegotiate &&
> !"negotiate".equals(AuthenticationHeader.authPref)) {
>
> , but I thought that some logging might be helpful.
>
> Also added a test which checks this and a couple of other scenarios
> work fine.
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8138953
> Webrev: http://cr.openjdk.java.net/~asmotrak/8138953/webrev.00/
>
> [1]
> https://docs.oracle.com/javase/8/docs/technotes/guides/net/http-auth.html
>
> Artem
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/net-dev/attachments/20151007/519c25c2/attachment.html>
More information about the net-dev
mailing list