[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [jetty-dev] Missing WWW-Authenticate from SpnegoAuthenticator when other Authorization header provided
|
Thanks for the information/reply, Joakim.
Are you implying that these RFCs answer my question about
SpnegoAuthenticator? Or maybe you just wanted to point me to updated info?
A quick skim over rfc7235 shows language equivalent to what I stated
originally:
<quote>
Upon receipt of a request for a protected resource that omits
credentials, contains invalid credentials (e.g., a bad password) or
partial credentials [...], an origin server SHOULD send a 401
(Unauthorized) response that contains a WWW-Authenticate header field
with at least one (possibly new) challenge applicable to the
requested resource.
</quote>
- Josh
On 7/27/17 5:33 PM, Joakim Erdfelt wrote:
RFC2616 is obsolete.
Replaced with many updated RFCs:
* https://tools.ietf.org/html/rfc7230
* https://tools.ietf.org/html/rfc7231
* https://tools.ietf.org/html/rfc7232
* https://tools.ietf.org/html/rfc7233
* https://tools.ietf.org/html/rfc7234
* https://tools.ietf.org/html/rfc7235
Authorization and Proxy-Authorization headers are defined in:
https://tools.ietf.org/html/rfc7231#section-5.4
and https://tools.ietf.org/html/rfc7235
Joakim Erdfelt / joakim@xxxxxxxxxxx <mailto:joakim@xxxxxxxxxxx>
On Thu, Jul 27, 2017 at 1:18 PM, Josh Elser <elserj@xxxxxxxxxx
<mailto:elserj@xxxxxxxxxx>> wrote:
Hi all,
I've been digging into an interesting case I'd like to run by you all.
I have a Jetty application that requires SPNEGO authentication
sitting behind a reverse-proxy that requires HTTP Basic
authentication (clients use Basic auth to talk to the reverse-proxy
and the reverse-proxy uses SPNEGO to talk to the Jetty application).
The problem was that the reverse-proxy was failing to authenticate
with the Jetty application.
Digging further, I noticed that the reverse-proxy does not strip the
HTTP Basic Authorization header sent by the client. When Jetty see
that request, it does not send back the expected HTTP/401 with a
WWW-Negotiate header. I just seem a plain HTTP/401 that comes from
application (as the user was not authenticated).
Looking at the source of SpnegoAuthenticator[1], the negotiate
challenge will _only_ be sent when no Authorization headed was sent
by the client. This seemed a bit odd to me, so I re-read
RFC-4559[2], section 4.1:
<quote>
If the server receives a request for an access-protected object, and
if an acceptable Authorization header has not been sent, the server
responds with a "401 Unauthorized" status code, and a "WWW-
Authenticate: Negotiate" header as per the framework described in
[RFC2616].
</quote>
Given the above, my initial interpretation was that if a client
provides some Authorization header which is not sufficient for
SPNEGO authentication, SpnegoAuthenticator should sent the challenge
request. That is not the case -- SpnegoAuthenticator will only send
the challenge request when _no_ Authorization header is provided.
I wanted to drop a note because I can imagine that there are
edge-cases which I'm not considering. Thanks in advance!
- Josh
[1]
https://github.com/eclipse/jetty.project/blob/0c8273f2ca1f9bf2064cd9c4c939d2546443f759/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java#L76-L94
<https://github.com/eclipse/jetty.project/blob/0c8273f2ca1f9bf2064cd9c4c939d2546443f759/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java#L76-L94>
[2] https://tools.ietf.org/html/rfc4559
<https://tools.ietf.org/html/rfc4559>
_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx <mailto:jetty-dev@xxxxxxxxxxx>
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev
<https://dev.eclipse.org/mailman/listinfo/jetty-dev>
_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev