From 2176eb386104a8d8f7587bb6a7a732b5072c8bfa Mon Sep 17 00:00:00 2001 From: Oleg Kalnichevski Date: Sun, 7 May 2023 16:24:32 +0200 Subject: [PATCH] GGS based experimental authentication schemes deprecated and disabled by default --- .../testing/sync/TestSPNegoScheme.java | 226 ------------------ .../hc/client5/http/auth/KerberosConfig.java | 5 + .../http/auth/KerberosCredentials.java | 7 + .../client5/http/auth/StandardAuthScheme.java | 16 +- .../impl/DefaultAuthenticationStrategy.java | 2 - .../http/impl/async/H2AsyncClientBuilder.java | 4 - .../impl/async/HttpAsyncClientBuilder.java | 4 - .../client5/http/impl/auth/GGSSchemeBase.java | 32 +-- .../http/impl/auth/KerberosScheme.java | 10 +- .../http/impl/auth/KerberosSchemeFactory.java | 14 +- .../client5/http/impl/auth/SPNegoScheme.java | 10 +- .../http/impl/auth/SPNegoSchemeFactory.java | 14 +- .../http/impl/classic/HttpClientBuilder.java | 4 - .../http/impl/classic/ProxyClient.java | 4 - 14 files changed, 75 insertions(+), 277 deletions(-) delete mode 100644 httpclient5-testing/src/test/java/org/apache/hc/client5/testing/sync/TestSPNegoScheme.java diff --git a/httpclient5-testing/src/test/java/org/apache/hc/client5/testing/sync/TestSPNegoScheme.java b/httpclient5-testing/src/test/java/org/apache/hc/client5/testing/sync/TestSPNegoScheme.java deleted file mode 100644 index d29f67d5d..000000000 --- a/httpclient5-testing/src/test/java/org/apache/hc/client5/testing/sync/TestSPNegoScheme.java +++ /dev/null @@ -1,226 +0,0 @@ -/* - * ==================================================================== - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - * ==================================================================== - * - * This software consists of voluntary contributions made by many - * individuals on behalf of the Apache Software Foundation. For more - * information on the Apache Software Foundation, please see - * . - * - */ -package org.apache.hc.client5.testing.sync; - -import java.io.IOException; -import java.security.Principal; - -import org.apache.hc.client5.http.SystemDefaultDnsResolver; -import org.apache.hc.client5.http.auth.AuthScheme; -import org.apache.hc.client5.http.auth.AuthSchemeFactory; -import org.apache.hc.client5.http.auth.AuthScope; -import org.apache.hc.client5.http.auth.Credentials; -import org.apache.hc.client5.http.auth.CredentialsProvider; -import org.apache.hc.client5.http.auth.KerberosConfig; -import org.apache.hc.client5.http.auth.StandardAuthScheme; -import org.apache.hc.client5.http.classic.methods.HttpGet; -import org.apache.hc.client5.http.impl.auth.CredentialsProviderBuilder; -import org.apache.hc.client5.http.impl.auth.SPNegoScheme; -import org.apache.hc.client5.http.impl.classic.CloseableHttpClient; -import org.apache.hc.client5.testing.sync.extension.TestClientResources; -import org.apache.hc.core5.http.ClassicHttpRequest; -import org.apache.hc.core5.http.ClassicHttpResponse; -import org.apache.hc.core5.http.HttpException; -import org.apache.hc.core5.http.HttpHost; -import org.apache.hc.core5.http.HttpStatus; -import org.apache.hc.core5.http.URIScheme; -import org.apache.hc.core5.http.config.Registry; -import org.apache.hc.core5.http.config.RegistryBuilder; -import org.apache.hc.core5.http.io.HttpRequestHandler; -import org.apache.hc.core5.http.io.entity.EntityUtils; -import org.apache.hc.core5.http.io.entity.StringEntity; -import org.apache.hc.core5.http.message.BasicHeader; -import org.apache.hc.core5.http.protocol.HttpContext; -import org.apache.hc.core5.testing.classic.ClassicTestServer; -import org.apache.hc.core5.util.Timeout; -import org.ietf.jgss.GSSContext; -import org.ietf.jgss.GSSManager; -import org.ietf.jgss.GSSName; -import org.junit.jupiter.api.Assertions; -import org.junit.jupiter.api.Test; -import org.junit.jupiter.api.extension.RegisterExtension; -import org.mockito.ArgumentMatchers; -import org.mockito.Mockito; - -/** - * Tests for {@link SPNegoScheme}. - */ -public class TestSPNegoScheme { - - public static final Timeout TIMEOUT = Timeout.ofMinutes(1); - - @RegisterExtension - private TestClientResources testResources = new TestClientResources(URIScheme.HTTP, TIMEOUT); - - /** - * This service will continue to ask for authentication. - */ - private static class PleaseNegotiateService implements HttpRequestHandler { - - @Override - public void handle( - final ClassicHttpRequest request, - final ClassicHttpResponse response, - final HttpContext context) throws HttpException, IOException { - response.setCode(HttpStatus.SC_UNAUTHORIZED); - response.addHeader(new BasicHeader("WWW-Authenticate", StandardAuthScheme.SPNEGO + " blablabla")); - response.addHeader(new BasicHeader("Connection", "Keep-Alive")); - response.setEntity(new StringEntity("auth required ")); - } - } - - /** - * NegotatieScheme with a custom GSSManager that does not require any Jaas or - * Kerberos configuration. - * - */ - private static class NegotiateSchemeWithMockGssManager extends SPNegoScheme { - - final GSSManager manager = Mockito.mock(GSSManager.class); - final GSSName name = Mockito.mock(GSSName.class); - final GSSContext context = Mockito.mock(GSSContext.class); - - NegotiateSchemeWithMockGssManager() throws Exception { - super(KerberosConfig.DEFAULT, SystemDefaultDnsResolver.INSTANCE); - Mockito.when(context.initSecContext( - ArgumentMatchers.any(), ArgumentMatchers.anyInt(), ArgumentMatchers.anyInt())) - .thenReturn("12345678".getBytes()); - Mockito.when(manager.createName( - ArgumentMatchers.anyString(), ArgumentMatchers.any())) - .thenReturn(name); - Mockito.when(manager.createContext( - ArgumentMatchers.any(), ArgumentMatchers.any(), - ArgumentMatchers.any(), ArgumentMatchers.anyInt())) - .thenReturn(context); - } - - @Override - protected GSSManager getManager() { - return manager; - } - - } - - @SuppressWarnings("deprecation") - private static class UseJaasCredentials implements Credentials { - - @Override - public char[] getPassword() { - return null; - } - - @Override - public Principal getUserPrincipal() { - return null; - } - - } - - private static class NegotiateSchemeFactoryWithMockGssManager implements AuthSchemeFactory { - - NegotiateSchemeWithMockGssManager scheme; - - NegotiateSchemeFactoryWithMockGssManager() throws Exception { - scheme = new NegotiateSchemeWithMockGssManager(); - } - - @Override - public AuthScheme create(final HttpContext context) { - return scheme; - } - - } - - /** - * Tests that the client will stop connecting to the server if - * the server still keep asking for a valid ticket. - */ - @Test - public void testDontTryToAuthenticateEndlessly() throws Exception { - final ClassicTestServer server = testResources.startServer(null, null, null); - server.registerHandler("*", new PleaseNegotiateService()); - final HttpHost target = testResources.targetHost(); - - final AuthSchemeFactory nsf = new NegotiateSchemeFactoryWithMockGssManager(); - final CredentialsProvider credentialsProvider = CredentialsProviderBuilder.create() - .add(new AuthScope(null, null, -1, null, null), new UseJaasCredentials()) - .build(); - - final Registry authSchemeRegistry = RegistryBuilder.create() - .register(StandardAuthScheme.SPNEGO, nsf) - .build(); - - final CloseableHttpClient client = testResources.startClient(builder -> builder - .setDefaultAuthSchemeRegistry(authSchemeRegistry) - .setDefaultCredentialsProvider(credentialsProvider) - ); - - final String s = "/path"; - final HttpGet httpget = new HttpGet(s); - client.execute(target, httpget, response -> { - EntityUtils.consume(response.getEntity()); - Assertions.assertEquals(HttpStatus.SC_UNAUTHORIZED, response.getCode()); - return null; - }); - } - - /** - * Javadoc specifies that {@link GSSContext#initSecContext(byte[], int, int)} can return null - * if no token is generated. Client should be able to deal with this response. - */ - @Test - public void testNoTokenGeneratedError() throws Exception { - final ClassicTestServer server = testResources.startServer(null, null, null); - server.registerHandler("*", new PleaseNegotiateService()); - final HttpHost target = testResources.targetHost(); - - final AuthSchemeFactory nsf = new NegotiateSchemeFactoryWithMockGssManager(); - - final CredentialsProvider credentialsProvider = CredentialsProviderBuilder.create() - .add(new AuthScope(null, null, -1, null, null), new UseJaasCredentials()) - .build(); - - final Registry authSchemeRegistry = RegistryBuilder.create() - .register(StandardAuthScheme.SPNEGO, nsf) - .build(); - - final CloseableHttpClient client = testResources.startClient(builder -> builder - .setDefaultAuthSchemeRegistry(authSchemeRegistry) - .setDefaultCredentialsProvider(credentialsProvider) - ); - - final String s = "/path"; - final HttpGet httpget = new HttpGet(s); - client.execute(target, httpget, response -> { - EntityUtils.consume(response.getEntity()); - Assertions.assertEquals(HttpStatus.SC_UNAUTHORIZED, response.getCode()); - return null; - }); - - } - -} diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/auth/KerberosConfig.java b/httpclient5/src/main/java/org/apache/hc/client5/http/auth/KerberosConfig.java index 26f908308..508eeb9b0 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/auth/KerberosConfig.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/auth/KerberosConfig.java @@ -34,7 +34,12 @@ import org.apache.hc.core5.annotation.ThreadingBehavior; * Immutable class encapsulating Kerberos configuration options. * * @since 4.6 + * + * @deprecated Do not use. The GGS based experimental authentication schemes are no longer + * supported. Consider using Basic or Bearer authentication with TLS instead. + * */ +@Deprecated @Contract(threading = ThreadingBehavior.IMMUTABLE) public class KerberosConfig implements Cloneable { diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/auth/KerberosCredentials.java b/httpclient5/src/main/java/org/apache/hc/client5/http/auth/KerberosCredentials.java index e40963b2a..92bab8d4f 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/auth/KerberosCredentials.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/auth/KerberosCredentials.java @@ -37,7 +37,14 @@ import org.ietf.jgss.GSSCredential; * Kerberos specific {@link Credentials} representation based on {@link GSSCredential}. * * @since 4.4 + * + * @deprecated Do not use. The GGS based experimental authentication schemes are no longer + * supported. Consider using Basic or Bearer authentication with TLS instead. + * + * @see UsernamePasswordCredentials + * @see BearerToken */ +@Deprecated @Contract(threading = ThreadingBehavior.IMMUTABLE) public class KerberosCredentials implements Credentials, Serializable { diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/auth/StandardAuthScheme.java b/httpclient5/src/main/java/org/apache/hc/client5/http/auth/StandardAuthScheme.java index 3ea46bdb2..1345282c0 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/auth/StandardAuthScheme.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/auth/StandardAuthScheme.java @@ -65,17 +65,21 @@ public final class StandardAuthScheme { public static final String NTLM = "NTLM"; /** - * SPNEGO authentication scheme as defined in RFC 4559 and RFC 4178 - * (considered to be the most secure among currently supported - * authentication schemes if Kerberos is selected). + * SPNEGO authentication scheme as defined in RFC 4559 and RFC 4178. + * + * @deprecated Do not use. The GGS based experimental authentication schemes are no longer + * supported. Consider using Basic or Bearer authentication with TLS instead. */ + @Deprecated public static final String SPNEGO = "Negotiate"; /** - * Kerberos authentication scheme as defined in RFC 4120 - * (considered to be the most secure among currently supported - * authentication schemes). + * Kerberos authentication scheme as defined in RFC 4120. + * + * @deprecated Do not use. The GGS based experimental authentication schemes are no longer + * supported. Consider using Basic or Bearer authentication with TLS instead. */ + @Deprecated public static final String KERBEROS = "Kerberos"; } diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/DefaultAuthenticationStrategy.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/DefaultAuthenticationStrategy.java index 856b7459c..726c34663 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/DefaultAuthenticationStrategy.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/DefaultAuthenticationStrategy.java @@ -65,8 +65,6 @@ public class DefaultAuthenticationStrategy implements AuthenticationStrategy { private static final List DEFAULT_SCHEME_PRIORITY = Collections.unmodifiableList(Arrays.asList( - StandardAuthScheme.SPNEGO, - StandardAuthScheme.KERBEROS, StandardAuthScheme.BEARER, StandardAuthScheme.DIGEST, StandardAuthScheme.BASIC)); diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/H2AsyncClientBuilder.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/H2AsyncClientBuilder.java index e2ed2883e..68bdd465f 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/H2AsyncClientBuilder.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/H2AsyncClientBuilder.java @@ -60,8 +60,6 @@ import org.apache.hc.client5.http.impl.auth.BasicCredentialsProvider; import org.apache.hc.client5.http.impl.auth.BasicSchemeFactory; import org.apache.hc.client5.http.impl.auth.BearerSchemeFactory; import org.apache.hc.client5.http.impl.auth.DigestSchemeFactory; -import org.apache.hc.client5.http.impl.auth.KerberosSchemeFactory; -import org.apache.hc.client5.http.impl.auth.SPNegoSchemeFactory; import org.apache.hc.client5.http.impl.auth.SystemDefaultCredentialsProvider; import org.apache.hc.client5.http.impl.nio.MultihomeConnectionInitiator; import org.apache.hc.client5.http.impl.routing.DefaultRoutePlanner; @@ -821,8 +819,6 @@ public class H2AsyncClientBuilder { .register(StandardAuthScheme.BASIC, BasicSchemeFactory.INSTANCE) .register(StandardAuthScheme.DIGEST, DigestSchemeFactory.INSTANCE) .register(StandardAuthScheme.BEARER, BearerSchemeFactory.INSTANCE) - .register(StandardAuthScheme.SPNEGO, SPNegoSchemeFactory.DEFAULT) - .register(StandardAuthScheme.KERBEROS, KerberosSchemeFactory.DEFAULT) .build(); } Lookup cookieSpecRegistryCopy = this.cookieSpecRegistry; diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java index 794145270..346d315c8 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java @@ -66,8 +66,6 @@ import org.apache.hc.client5.http.impl.auth.BasicCredentialsProvider; import org.apache.hc.client5.http.impl.auth.BasicSchemeFactory; import org.apache.hc.client5.http.impl.auth.BearerSchemeFactory; import org.apache.hc.client5.http.impl.auth.DigestSchemeFactory; -import org.apache.hc.client5.http.impl.auth.KerberosSchemeFactory; -import org.apache.hc.client5.http.impl.auth.SPNegoSchemeFactory; import org.apache.hc.client5.http.impl.auth.SystemDefaultCredentialsProvider; import org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManagerBuilder; import org.apache.hc.client5.http.impl.routing.DefaultProxyRoutePlanner; @@ -1008,8 +1006,6 @@ public class HttpAsyncClientBuilder { .register(StandardAuthScheme.BASIC, BasicSchemeFactory.INSTANCE) .register(StandardAuthScheme.DIGEST, DigestSchemeFactory.INSTANCE) .register(StandardAuthScheme.BEARER, BearerSchemeFactory.INSTANCE) - .register(StandardAuthScheme.SPNEGO, SPNegoSchemeFactory.DEFAULT) - .register(StandardAuthScheme.KERBEROS, KerberosSchemeFactory.DEFAULT) .build(); } Lookup cookieSpecRegistryCopy = this.cookieSpecRegistry; diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/GGSSchemeBase.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/GGSSchemeBase.java index b8c6ed8ed..dddf512df 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/GGSSchemeBase.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/GGSSchemeBase.java @@ -29,21 +29,19 @@ package org.apache.hc.client5.http.impl.auth; import java.net.UnknownHostException; import java.security.Principal; -import org.apache.hc.client5.http.utils.Base64; import org.apache.hc.client5.http.DnsResolver; import org.apache.hc.client5.http.SystemDefaultDnsResolver; import org.apache.hc.client5.http.auth.AuthChallenge; import org.apache.hc.client5.http.auth.AuthScheme; -import org.apache.hc.client5.http.auth.StandardAuthScheme; import org.apache.hc.client5.http.auth.AuthScope; import org.apache.hc.client5.http.auth.AuthenticationException; import org.apache.hc.client5.http.auth.Credentials; import org.apache.hc.client5.http.auth.CredentialsProvider; import org.apache.hc.client5.http.auth.InvalidCredentialsException; -import org.apache.hc.client5.http.auth.KerberosConfig; -import org.apache.hc.client5.http.auth.KerberosCredentials; import org.apache.hc.client5.http.auth.MalformedChallengeException; +import org.apache.hc.client5.http.auth.StandardAuthScheme; import org.apache.hc.client5.http.protocol.HttpClientContext; +import org.apache.hc.client5.http.utils.Base64; import org.apache.hc.core5.http.HttpHost; import org.apache.hc.core5.http.HttpRequest; import org.apache.hc.core5.http.protocol.HttpContext; @@ -61,7 +59,11 @@ import org.slf4j.LoggerFactory; * Common behavior for {@code GSS} based authentication schemes. * * @since 4.2 + * + * @deprecated Do not use. The GGS based experimental authentication schemes are no longer + * supported. Consider using Basic or Bearer authentication with TLS instead. */ +@Deprecated public abstract class GGSSchemeBase implements AuthScheme { enum State { @@ -74,7 +76,7 @@ public abstract class GGSSchemeBase implements AuthScheme { private static final Logger LOG = LoggerFactory.getLogger(GGSSchemeBase.class); private static final String NO_TOKEN = ""; private static final String KERBEROS_SCHEME = "HTTP"; - private final KerberosConfig config; + private final org.apache.hc.client5.http.auth.KerberosConfig config; private final DnsResolver dnsResolver; /** Authentication process state */ @@ -83,19 +85,19 @@ public abstract class GGSSchemeBase implements AuthScheme { private String challenge; private byte[] token; - GGSSchemeBase(final KerberosConfig config, final DnsResolver dnsResolver) { + GGSSchemeBase(final org.apache.hc.client5.http.auth.KerberosConfig config, final DnsResolver dnsResolver) { super(); - this.config = config != null ? config : KerberosConfig.DEFAULT; + this.config = config != null ? config : org.apache.hc.client5.http.auth.KerberosConfig.DEFAULT; this.dnsResolver = dnsResolver != null ? dnsResolver : SystemDefaultDnsResolver.INSTANCE; this.state = State.UNINITIATED; } - GGSSchemeBase(final KerberosConfig config) { + GGSSchemeBase(final org.apache.hc.client5.http.auth.KerberosConfig config) { this(config, SystemDefaultDnsResolver.INSTANCE); } GGSSchemeBase() { - this(KerberosConfig.DEFAULT, SystemDefaultDnsResolver.INSTANCE); + this(org.apache.hc.client5.http.auth.KerberosConfig.DEFAULT, SystemDefaultDnsResolver.INSTANCE); } @Override @@ -155,8 +157,8 @@ public abstract class GGSSchemeBase implements AuthScheme { final GSSContext gssContext = manager.createContext(serverName.canonicalize(oid), oid, gssCredential, GSSContext.DEFAULT_LIFETIME); gssContext.requestMutualAuth(true); - if (config.getRequestDelegCreds() != KerberosConfig.Option.DEFAULT) { - gssContext.requestCredDeleg(config.getRequestDelegCreds() == KerberosConfig.Option.ENABLE); + if (config.getRequestDelegCreds() != org.apache.hc.client5.http.auth.KerberosConfig.Option.DEFAULT) { + gssContext.requestCredDeleg(config.getRequestDelegCreds() == org.apache.hc.client5.http.auth.KerberosConfig.Option.ENABLE); } return gssContext; } @@ -181,8 +183,8 @@ public abstract class GGSSchemeBase implements AuthScheme { final Credentials credentials = credentialsProvider.getCredentials( new AuthScope(host, null, getName()), context); - if (credentials instanceof KerberosCredentials) { - this.gssCredential = ((KerberosCredentials) credentials).getGSSCredential(); + if (credentials instanceof org.apache.hc.client5.http.auth.KerberosCredentials) { + this.gssCredential = ((org.apache.hc.client5.http.auth.KerberosCredentials) credentials).getGSSCredential(); } else { this.gssCredential = null; } @@ -210,13 +212,13 @@ public abstract class GGSSchemeBase implements AuthScheme { try { final String authServer; String hostname = host.getHostName(); - if (config.getUseCanonicalHostname() != KerberosConfig.Option.DISABLE){ + if (config.getUseCanonicalHostname() != org.apache.hc.client5.http.auth.KerberosConfig.Option.DISABLE){ try { hostname = dnsResolver.resolveCanonicalHostname(host.getHostName()); } catch (final UnknownHostException ignore){ } } - if (config.getStripPort() != KerberosConfig.Option.DISABLE) { + if (config.getStripPort() != org.apache.hc.client5.http.auth.KerberosConfig.Option.DISABLE) { authServer = hostname; } else { authServer = hostname + ":" + host.getPort(); diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/KerberosScheme.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/KerberosScheme.java index 46cbdbeb6..656f29633 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/KerberosScheme.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/KerberosScheme.java @@ -28,7 +28,6 @@ package org.apache.hc.client5.http.impl.auth; import org.apache.hc.client5.http.DnsResolver; import org.apache.hc.client5.http.auth.StandardAuthScheme; -import org.apache.hc.client5.http.auth.KerberosConfig; import org.apache.hc.core5.annotation.Experimental; import org.ietf.jgss.GSSException; import org.ietf.jgss.Oid; @@ -41,7 +40,14 @@ import org.ietf.jgss.Oid; *

* * @since 4.2 + * + * @deprecated Do not use. The GGS based experimental authentication schemes are no longer + * supported. Consider using Basic or Bearer authentication with TLS instead. + * + * @see BasicScheme + * @see BearerScheme */ +@Deprecated @Experimental public class KerberosScheme extends GGSSchemeBase { @@ -50,7 +56,7 @@ public class KerberosScheme extends GGSSchemeBase { /** * @since 5.0 */ - public KerberosScheme(final KerberosConfig config, final DnsResolver dnsResolver) { + public KerberosScheme(final org.apache.hc.client5.http.auth.KerberosConfig config, final DnsResolver dnsResolver) { super(config, dnsResolver); } diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/KerberosSchemeFactory.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/KerberosSchemeFactory.java index 9119a75de..25930f099 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/KerberosSchemeFactory.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/KerberosSchemeFactory.java @@ -30,7 +30,6 @@ import org.apache.hc.client5.http.DnsResolver; import org.apache.hc.client5.http.SystemDefaultDnsResolver; import org.apache.hc.client5.http.auth.AuthScheme; import org.apache.hc.client5.http.auth.AuthSchemeFactory; -import org.apache.hc.client5.http.auth.KerberosConfig; import org.apache.hc.core5.annotation.Contract; import org.apache.hc.core5.annotation.Experimental; import org.apache.hc.core5.annotation.ThreadingBehavior; @@ -45,7 +44,14 @@ import org.apache.hc.core5.http.protocol.HttpContext; *

* * @since 4.2 + * + * @deprecated Do not use. The GGS based experimental authentication schemes are no longer + * supported. Consider using Basic or Bearer authentication with TLS instead. + * + * @see BasicSchemeFactory + * @see BearerSchemeFactory */ +@Deprecated @Contract(threading = ThreadingBehavior.STATELESS) @Experimental public class KerberosSchemeFactory implements AuthSchemeFactory { @@ -53,16 +59,16 @@ public class KerberosSchemeFactory implements AuthSchemeFactory { /** * Singleton instance for the default configuration. */ - public static final KerberosSchemeFactory DEFAULT = new KerberosSchemeFactory(KerberosConfig.DEFAULT, + public static final KerberosSchemeFactory DEFAULT = new KerberosSchemeFactory(org.apache.hc.client5.http.auth.KerberosConfig.DEFAULT, SystemDefaultDnsResolver.INSTANCE); - private final KerberosConfig config; + private final org.apache.hc.client5.http.auth.KerberosConfig config; private final DnsResolver dnsResolver; /** * @since 5.0 */ - public KerberosSchemeFactory(final KerberosConfig config, final DnsResolver dnsResolver) { + public KerberosSchemeFactory(final org.apache.hc.client5.http.auth.KerberosConfig config, final DnsResolver dnsResolver) { super(); this.config = config; this.dnsResolver = dnsResolver; diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/SPNegoScheme.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/SPNegoScheme.java index bad1c0fc6..7971ff935 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/SPNegoScheme.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/SPNegoScheme.java @@ -28,7 +28,6 @@ package org.apache.hc.client5.http.impl.auth; import org.apache.hc.client5.http.DnsResolver; import org.apache.hc.client5.http.auth.StandardAuthScheme; -import org.apache.hc.client5.http.auth.KerberosConfig; import org.apache.hc.core5.annotation.Experimental; import org.ietf.jgss.GSSException; import org.ietf.jgss.Oid; @@ -42,7 +41,14 @@ import org.ietf.jgss.Oid; *

* * @since 4.2 + * + * @deprecated Do not use. The GGS based experimental authentication schemes are no longer + * supported. Consider using Basic or Bearer authentication with TLS instead. + * + * @see BasicScheme + * @see BearerScheme */ +@Deprecated @Experimental public class SPNegoScheme extends GGSSchemeBase { @@ -51,7 +57,7 @@ public class SPNegoScheme extends GGSSchemeBase { /** * @since 5.0 */ - public SPNegoScheme(final KerberosConfig config, final DnsResolver dnsResolver) { + public SPNegoScheme(final org.apache.hc.client5.http.auth.KerberosConfig config, final DnsResolver dnsResolver) { super(config, dnsResolver); } diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/SPNegoSchemeFactory.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/SPNegoSchemeFactory.java index 7953c8f3b..14d8528c5 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/SPNegoSchemeFactory.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/SPNegoSchemeFactory.java @@ -30,7 +30,6 @@ import org.apache.hc.client5.http.DnsResolver; import org.apache.hc.client5.http.SystemDefaultDnsResolver; import org.apache.hc.client5.http.auth.AuthScheme; import org.apache.hc.client5.http.auth.AuthSchemeFactory; -import org.apache.hc.client5.http.auth.KerberosConfig; import org.apache.hc.core5.annotation.Contract; import org.apache.hc.core5.annotation.Experimental; import org.apache.hc.core5.annotation.ThreadingBehavior; @@ -45,7 +44,14 @@ import org.apache.hc.core5.http.protocol.HttpContext; *

* * @since 4.2 + * + * @deprecated Do not use. The GGS based experimental authentication schemes are no longer + * supported. Consider using Basic or Bearer authentication with TLS instead. + * + * @see BasicSchemeFactory + * @see BearerSchemeFactory */ +@Deprecated @Contract(threading = ThreadingBehavior.STATELESS) @Experimental public class SPNegoSchemeFactory implements AuthSchemeFactory { @@ -53,16 +59,16 @@ public class SPNegoSchemeFactory implements AuthSchemeFactory { /** * Singleton instance for the default configuration. */ - public static final SPNegoSchemeFactory DEFAULT = new SPNegoSchemeFactory(KerberosConfig.DEFAULT, + public static final SPNegoSchemeFactory DEFAULT = new SPNegoSchemeFactory(org.apache.hc.client5.http.auth.KerberosConfig.DEFAULT, SystemDefaultDnsResolver.INSTANCE); - private final KerberosConfig config; + private final org.apache.hc.client5.http.auth.KerberosConfig config; private final DnsResolver dnsResolver; /** * @since 5.0 */ - public SPNegoSchemeFactory(final KerberosConfig config, final DnsResolver dnsResolver) { + public SPNegoSchemeFactory(final org.apache.hc.client5.http.auth.KerberosConfig config, final DnsResolver dnsResolver) { super(); this.config = config; this.dnsResolver = dnsResolver; diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/HttpClientBuilder.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/HttpClientBuilder.java index 7f1844476..8711f4315 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/HttpClientBuilder.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/HttpClientBuilder.java @@ -69,8 +69,6 @@ import org.apache.hc.client5.http.impl.auth.BasicCredentialsProvider; import org.apache.hc.client5.http.impl.auth.BasicSchemeFactory; import org.apache.hc.client5.http.impl.auth.BearerSchemeFactory; import org.apache.hc.client5.http.impl.auth.DigestSchemeFactory; -import org.apache.hc.client5.http.impl.auth.KerberosSchemeFactory; -import org.apache.hc.client5.http.impl.auth.SPNegoSchemeFactory; import org.apache.hc.client5.http.impl.auth.SystemDefaultCredentialsProvider; import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder; import org.apache.hc.client5.http.impl.routing.DefaultProxyRoutePlanner; @@ -965,8 +963,6 @@ public class HttpClientBuilder { .register(StandardAuthScheme.BASIC, BasicSchemeFactory.INSTANCE) .register(StandardAuthScheme.DIGEST, DigestSchemeFactory.INSTANCE) .register(StandardAuthScheme.BEARER, BearerSchemeFactory.INSTANCE) - .register(StandardAuthScheme.SPNEGO, SPNegoSchemeFactory.DEFAULT) - .register(StandardAuthScheme.KERBEROS, KerberosSchemeFactory.DEFAULT) .build(); } Lookup cookieSpecRegistryCopy = this.cookieSpecRegistry; diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProxyClient.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProxyClient.java index b86fcb8ed..8b4965cef 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProxyClient.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProxyClient.java @@ -48,8 +48,6 @@ import org.apache.hc.client5.http.impl.auth.BasicCredentialsProvider; import org.apache.hc.client5.http.impl.auth.BasicSchemeFactory; import org.apache.hc.client5.http.impl.auth.DigestSchemeFactory; import org.apache.hc.client5.http.impl.auth.HttpAuthenticator; -import org.apache.hc.client5.http.impl.auth.KerberosSchemeFactory; -import org.apache.hc.client5.http.impl.auth.SPNegoSchemeFactory; import org.apache.hc.client5.http.impl.io.ManagedHttpClientConnectionFactory; import org.apache.hc.client5.http.io.ManagedHttpClientConnection; import org.apache.hc.client5.http.protocol.HttpClientContext; @@ -120,8 +118,6 @@ public class ProxyClient { this.authSchemeRegistry = RegistryBuilder.create() .register(StandardAuthScheme.BASIC, BasicSchemeFactory.INSTANCE) .register(StandardAuthScheme.DIGEST, DigestSchemeFactory.INSTANCE) - .register(StandardAuthScheme.SPNEGO, SPNegoSchemeFactory.DEFAULT) - .register(StandardAuthScheme.KERBEROS, KerberosSchemeFactory.DEFAULT) .build(); this.reuseStrategy = DefaultClientConnectionReuseStrategy.INSTANCE; }