Re: [jetty-dev] Missing WWW-Authenticate from SpnegoAuthenticator when o

[Joakim Erdfelt <joakim@xxxxxxxxxxx>]

RFC2616 is obsolete.

Replaced with many updated RFCs:

• https://tools.ietf.org/html/rfc7230
  
• https://tools.ietf.org/html/rfc7231
  
• https://tools.ietf.org/html/rfc7232
  
• https://tools.ietf.org/html/rfc7233
  
• https://tools.ietf.org/html/rfc7234
  
• https://tools.ietf.org/html/rfc7235
  

Authorization and Proxy-Authorization headers are defined in:

https://tools.ietf.org/html/rfc7231#section-5.4

and https://tools.ietf.org/html/rfc7235

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Thu, Jul 27, 2017 at 1:18 PM, Josh Elser <elserj@xxxxxxxxxx> wrote:

Hi all,

I've been digging into an interesting case I'd like to run by you all.

I have a Jetty application that requires SPNEGO authentication sitting behind a reverse-proxy that requires HTTP Basic authentication (clients use Basic auth to talk to the reverse-proxy and the reverse-proxy uses SPNEGO to talk to the Jetty application). The problem was that the reverse-proxy was failing to authenticate with the Jetty application.

Digging further, I noticed that the reverse-proxy does not strip the HTTP Basic Authorization header sent by the client. When Jetty see that request, it does not send back the expected HTTP/401 with a WWW-Negotiate header. I just seem a plain HTTP/401 that comes from application (as the user was not authenticated).

Looking at the source of SpnegoAuthenticator[1], the negotiate challenge will _only_ be sent when no Authorization headed was sent by the client. This seemed a bit odd to me, so I re-read RFC-4559[2], section 4.1:

<quote>
If the server receives a request for an access-protected object, and
if an acceptable Authorization header has not been sent, the server
responds with a "401 Unauthorized" status code, and a "WWW-
Authenticate: Negotiate" header as per the framework described in [RFC2616].
</quote>

Given the above, my initial interpretation was that if a client provides some Authorization header which is not sufficient for SPNEGO authentication, SpnegoAuthenticator should sent the challenge request. That is not the case -- SpnegoAuthenticator will only send the challenge request when _no_ Authorization header is provided.

I wanted to drop a note because I can imagine that there are edge-cases which I'm not considering. Thanks in advance!


- Josh

[1] https://github.com/eclipse/jetty.project/blob/0c8273f2ca1f9bf2064cd9c4c939d2546443f759/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java#L76-L94
[2] https://tools.ietf.org/html/rfc4559
_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev