[9] RFR 8138953: HttpURLConnection doesn't fallback to another auth scheme if negotiate process failed
Wang Weijun
weijun.wang at oracle.com
Wed Oct 7 14:39:01 UTC 2015
I will look into this. Busy on something else at the moment.
Do you think this would happen in reality? There weren't a lot of fallback in HTTP auth, IMO, is that because in most cases username and password are the same for all schemes, and if one fails, we believe the pair is wrong and there is no need to try another. Negotiate was picked as a special case because configuration could go wrong even if the username and password are correct, and we provide a fallback.
For example, what about fallback from Digest to Basic? Could the digest credentials be provided correctly at first and wrong later? What would happen?
I haven't read the HttpURLConnection class for a long time and I could be wrong.
Thanks
Max
> On Oct 7, 2015, at 7:19 PM, Artem Smotrakov <artem.smotrakov at oracle.com> wrote:
>
> Hello,
>
> Please review this for 9.
>
> According to [1], an HTTP client should try to use another HTTP authentication scheme if negotiate process failed for some reason, and a user didn't specify SPNEGO or Kerberos in "http.auth.preference" system property. But no fallback happens if, for example:
> - an HTTP server supports both Negotiate (via Kerberos) and Basic authentication schemes
> - first, a user provides correct Kerberos credentials, and a connection is successfully established with Negotiate scheme
> - then, a user provides wrong Kerberos credentials, but correct Basic credentials
>
> This fix updates HttpURLConnection to try another authentication scheme negotiate process failed, and SPNEGO and Kerberos schemes are not preferred. The fix may be shorter, for example:
>
> if ( serverAuthentication != null || inNegotiate && !"negotiate".equals(AuthenticationHeader.authPref)) {
>
> , but I thought that some logging might be helpful.
>
> Also added a test which checks this and a couple of other scenarios work fine.
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8138953
> Webrev: http://cr.openjdk.java.net/~asmotrak/8138953/webrev.00/
>
> [1] https://docs.oracle.com/javase/8/docs/technotes/guides/net/http-auth.html
>
> Artem
More information about the net-dev
mailing list