[9] RFR 8138953: HttpURLConnection doesn't fallback to another auth scheme if negotiate process failed

Artem Smotrakov artem.smotrakov at oracle.com
Wed Oct 7 15:25:22 UTC 2015


Hi Sean,

Sure, it may be useful to print it out. I will update the webrev.

Artem

On 10/07/2015 05:28 PM, Seán Coffey wrote:
> Thanks for handling Artem. I'll leave the main review to someone more 
> knowledgeable with http authentication schemes but can I suggest that 
> your print the AuthenticationHeader.authPref string out with the 
> "Negotiate process failed, fallback" logger message. It's a useful 
> variable to capture.
> Regards,
> Sean.
> On 07/10/2015 12:19, Artem Smotrakov wrote:
>> Hello,
>>
>> Please review this for 9.
>>
>> According to [1], an HTTP client should try to use another HTTP 
>> authentication scheme if negotiate process failed for some reason, 
>> and a user didn't specify SPNEGO or Kerberos in 
>> "http.auth.preference" system property. But no fallback happens if, 
>> for example:
>> - an HTTP server supports both Negotiate (via Kerberos) and Basic 
>> authentication schemes
>> - first, a user provides correct Kerberos credentials, and a 
>> connection is successfully established with Negotiate scheme
>> - then, a user provides wrong Kerberos credentials, but correct Basic 
>> credentials
>>
>> This fix updates HttpURLConnection to try another authentication 
>> scheme negotiate process failed, and SPNEGO and Kerberos schemes are 
>> not preferred. The fix may be shorter, for example:
>>
>> if ( serverAuthentication != null || inNegotiate && 
>> !"negotiate".equals(AuthenticationHeader.authPref)) {
>>
>> , but I thought that some logging might be helpful.
>>
>> Also added a test which checks this and a couple of other scenarios 
>> work fine.
>>
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8138953
>> Webrev: http://cr.openjdk.java.net/~asmotrak/8138953/webrev.00/
>>
>> [1] 
>> https://docs.oracle.com/javase/8/docs/technotes/guides/net/http-auth.html
>>
>> Artem
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/net-dev/attachments/20151007/eb37273c/attachment.html>


More information about the net-dev mailing list