Bug 408216 - SPNEGO authentication support for ECF HttpClient4 Provider
Summary: SPNEGO authentication support for ECF HttpClient4 Provider
Status: NEW
Alias: None
Product: ECF
Classification: RT
Component: ecf.filetransfer (show other bugs)
Version: unspecified   Edit
Hardware: PC All
: P3 enhancement (vote)
Target Milestone: ---   Edit
Assignee: ecf.core-inbox CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-16 05:06 EDT by Moritz Bechler CLA
Modified: 2023-10-23 03:34 EDT (History)
2 users (show)

See Also:

Attachments
Path adding SPNEGO support. (29.76 KB, patch)
2013-05-16 05:06 EDT, Moritz Bechler CLA 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Bechler CLA 2013-05-16 05:06:30 EDT 
Created attachment 231066 [details]
Path adding SPNEGO support.

Hi,

I implemented SPNEGO Server/Proxy authentication support for the HttpClient4 ECF provider. The attached patch is designed to be as non-invasive as possible when SPNEGO is not enabled but otherwise needs to work around quite many issues in HttpClient.

For compatibility reasons SPNEGO authentication is performed on a per-request (as opposed to per-connection - which most propably is the intention of the RFC) basis - there is a wide range of server software that requires this. This would cause two requests for each real request, therefor authentication is performed preemptively for configured scopes.

Compatibility:
Will propably break when moving to HttpClient >4.1 as there were changes to the SPNEGO support. Bumped HttpClient minimum version to 4.1.2 because that version fixes a Bug concerning cross-realm Kerberos authentication.

System properties for configuration:

org.eclipse.ecf.provider.filetransfer.httpclient4.options.spnegoEnable:
if "true", enables the alternative HttpClient which enables SPNEGO auth.

org.eclipse.ecf.provider.filetransfer.httpclient4.options.spnegoProxyAuth:
if "true", enables preemptive SPNEGO authentication against HTTP(S) proxies.

org.eclipse.ecf.provider.filetransfer.httpclient4.options.spnegoAuthScopes:
comma-separated list of URLs against which preemptive SPNEGO authentication is enabled (The actual matching method currently uses only host and port, this has some security implications when not the whole server can be trusted, also a check that a https connection actually is secure and the server identity was validated should most possibly put in place).


The attached patch is against GIT HEAD.


with best regards

Moritz Bechler
Comment 1 Moritz Bechler CLA 2013-05-16 06:31:20 EDT 
Noticed a minor but really embarrassing issue in org.eclipse.ecf.internal.provider.filetransfer.httpclient4.spnego.PreemptiveNegotiateHttpClient, going to blame copy-paste for it.

--
private static final String TRUE = "true"; //$NON-NLS-1$
private static final String FALSE = "true"; //$NON-NLS-1$
--

of course should be
--
private static final String TRUE = "true"; //$NON-NLS-1$
private static final String FALSE = "false"; //$NON-NLS-1$
--
Comment 2 Markus Kuppe CLA 2013-05-17 08:53:13 EDT 
Hi Moritz,

since your patch is large enough, please answer the following three questions.

1. I have authored 100% of the content I'm contributing;
2. I have the rights to donate the content to Eclipse; and
3. I contribute the content under the project's license(s) (e.g. EPL)
Comment 3 Moritz Bechler CLA 2013-05-17 10:12:33 EDT 
Hi,

1. I have authored 100% of the content I'm contributing
2. My company granted all necessary rights to contribute this code under EPL terms.
3. I contribute this code under EPL license.


with best regards

Moritz Bechler
Comment 4 Markus Kuppe CLA 2013-05-24 10:38:53 EDT 
Hi Moritz,

we will do the final ECF 3.6.1 build end of month after which we will have a chance to work on new features. Sorry to let you wait.