[9] RFR 8138953: HttpURLConnection doesn't fallback to another auth scheme if negotiate process failed
Artem Smotrakov
artem.smotrakov at oracle.com
Wed Oct 7 15:25:22 UTC 2015
Hi Sean,
Sure, it may be useful to print it out. I will update the webrev.
Artem
On 10/07/2015 05:28 PM, Seán Coffey wrote:
> Thanks for handling Artem. I'll leave the main review to someone more
> knowledgeable with http authentication schemes but can I suggest that
> your print the AuthenticationHeader.authPref string out with the
> "Negotiate process failed, fallback" logger message. It's a useful
> variable to capture.
> Regards,
> Sean.
> On 07/10/2015 12:19, Artem Smotrakov wrote:
>> Hello,
>>
>> Please review this for 9.
>>
>> According to [1], an HTTP client should try to use another HTTP
>> authentication scheme if negotiate process failed for some reason,
>> and a user didn't specify SPNEGO or Kerberos in
>> "http.auth.preference" system property. But no fallback happens if,
>> for example:
>> - an HTTP server supports both Negotiate (via Kerberos) and Basic
>> authentication schemes
>> - first, a user provides correct Kerberos credentials, and a
>> connection is successfully established with Negotiate scheme
>> - then, a user provides wrong Kerberos credentials, but correct Basic
>> credentials
>>
>> This fix updates HttpURLConnection to try another authentication
>> scheme negotiate process failed, and SPNEGO and Kerberos schemes are
>> not preferred. The fix may be shorter, for example:
>>
>> if ( serverAuthentication != null || inNegotiate &&
>> !"negotiate".equals(AuthenticationHeader.authPref)) {
>>
>> , but I thought that some logging might be helpful.
>>
>> Also added a test which checks this and a couple of other scenarios
>> work fine.
>>
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8138953
>> Webrev: http://cr.openjdk.java.net/~asmotrak/8138953/webrev.00/
>>
>> [1]
>> https://docs.oracle.com/javase/8/docs/technotes/guides/net/http-auth.html
>>
>> Artem
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/net-dev/attachments/20151007/eb37273c/attachment.html>
More information about the net-dev
mailing list