[9] RFR 8138953: HttpURLConnection doesn't fallback to another auth scheme if negotiate process failed

Seán Coffey sean.coffey at oracle.com
Wed Oct 7 14:28:57 UTC 2015


Thanks for handling Artem. I'll leave the main review to someone more 
knowledgeable with http authentication schemes but can I suggest that 
your print the AuthenticationHeader.authPref string out with the 
"Negotiate process failed, fallback" logger message. It's a useful 
variable to capture.

Regards,
Sean.

On 07/10/2015 12:19, Artem Smotrakov wrote:
> Hello,
>
> Please review this for 9.
>
> According to [1], an HTTP client should try to use another HTTP 
> authentication scheme if negotiate process failed for some reason, and 
> a user didn't specify SPNEGO or Kerberos in "http.auth.preference" 
> system property. But no fallback happens if, for example:
> - an HTTP server supports both Negotiate (via Kerberos) and Basic 
> authentication schemes
> - first, a user provides correct Kerberos credentials, and a 
> connection is successfully established with Negotiate scheme
> - then, a user provides wrong Kerberos credentials, but correct Basic 
> credentials
>
> This fix updates HttpURLConnection to try another authentication 
> scheme negotiate process failed, and SPNEGO and Kerberos schemes are 
> not preferred. The fix may be shorter, for example:
>
> if ( serverAuthentication != null || inNegotiate && 
> !"negotiate".equals(AuthenticationHeader.authPref)) {
>
> , but I thought that some logging might be helpful.
>
> Also added a test which checks this and a couple of other scenarios 
> work fine.
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8138953
> Webrev: http://cr.openjdk.java.net/~asmotrak/8138953/webrev.00/
>
> [1] 
> https://docs.oracle.com/javase/8/docs/technotes/guides/net/http-auth.html
>
> Artem

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/net-dev/attachments/20151007/519c25c2/attachment.html>


More information about the net-dev mailing list