* Removed superfluous SpnegoCreate flag
* Finalized SPNEGO example and tutorial git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@824409 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Oleg Kalnichevski
parent
7c2cc42b1f
commit
a09823ff00
|
|
@ -1,6 +1,9 @@
|
|||
Changes since 4.0
|
||||
-------------------
|
||||
|
||||
* [HTTPCLIENT-523] Support for SPNEGO authentication scheme.
|
||||
Contributed by Matthew Stevenson <mavricknzwork at yahoo.com>
|
||||
|
||||
* Simplified configuration of connection managers. Total connection maximum
|
||||
and maximum connection per route limits can be set using methods of
|
||||
the class instead of HTTP parameters.
|
||||
|
|
|
|||
|
|
@ -44,21 +44,14 @@ import org.apache.http.util.EntityUtils;
|
|||
* <p><b>Information</b></p>
|
||||
* <p>For the best compatibility use Java >= 1.6 as it supports SPNEGO authentication more
|
||||
completely.</p>
|
||||
* <p><em>NegotiateSchemeFactory</em></p>
|
||||
* <p>Has three custom methods</p>
|
||||
* <p><em>setStripPort(boolean)</em> - default is false, with strip the port off the Kerberos
|
||||
* service name if true. Found useful with JbossNegotiation. Java >= 1.5</p>
|
||||
*
|
||||
* <p>Below are for Java 1.5.</p>
|
||||
*
|
||||
* <p><em>setSpnegoCreate(boolean)</em> - defaults to false, try to create an SPNEGO token via
|
||||
* the token set in setSpengoGenerator. TODO - merge logic so just setSpengoGenerator</p>
|
||||
*
|
||||
* <p><em>setSpengoGenerator(new SpnegoTokenGenerator())</em> - default is null, class to use to wrap
|
||||
* <p><em>NegotiateSchemeFactory</em> kas two custom methods</p>
|
||||
* <p><em>#setStripPort(boolean)</em> - default is false, with strip the port off the Kerberos
|
||||
* service name if true. Found useful with JBoss Negotiation. Can be used with Java >= 1.5</p>
|
||||
* <p><em>#setSpengoGenerator(SpnegoTokenGenerator)</em> - default is null, class to use to wrap
|
||||
* kerberos token. An example is in contrib - <em>org.apache.http.contrib.auth.BouncySpnegoTokenGenerator</em>.
|
||||
* Requires use of <a href="http://www.bouncycastle.org/java.html">bouncy castle libs</a>
|
||||
* Requires use of <a href="http://www.bouncycastle.org/java.html">bouncy castle libs</a>.
|
||||
* Useful with Java 1.5.
|
||||
* </p>
|
||||
*
|
||||
* <p><b>Addtional Config Files</b></p>
|
||||
* <p>Two files control how Java uses/configures Kerberos. Very basic examples are below. There
|
||||
* is a large amount of information on the web.</p>
|
||||
|
|
@ -134,15 +127,8 @@ public class ClientKerberosAuthentication {
|
|||
|
||||
DefaultHttpClient httpclient = new DefaultHttpClient();
|
||||
|
||||
/*
|
||||
* NegotiateSchemeFactory creates the NegotiateScheme instance to be use for each request
|
||||
* if using Java 5/6 and IIS7 you can just use the defaults.
|
||||
* JbossNegotiate use setStripPort(true), or add service names with ports to kerberos DB.
|
||||
* JbossNegotiate needs Java 6 or a SpengoGenerator.
|
||||
*/
|
||||
NegotiateSchemeFactory nsf = new NegotiateSchemeFactory();
|
||||
// nsf.setStripPort(false);
|
||||
// nsf.setSpnegoCreate(true);
|
||||
// nsf.setSpengoGenerator(new BouncySpnegoTokenGenerator());
|
||||
|
||||
httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, nsf);
|
||||
|
|
|
|||
|
|
@ -67,10 +67,6 @@ public class NegotiateScheme implements AuthScheme {
|
|||
* Probably a debatable addition.
|
||||
*/
|
||||
private boolean stripPort = false;
|
||||
/* spnegoCreate is used to generate an SPNEGO wrapper around
|
||||
* for JDKs < 1.6.
|
||||
*/
|
||||
private boolean spnegoCreate = false;
|
||||
|
||||
private SpnegoTokenGenerator spengoGenerator = null;
|
||||
|
||||
|
|
@ -217,9 +213,9 @@ public class NegotiateScheme implements AuthScheme {
|
|||
* IIS accepts Kerberos and SPNEGO tokens. Some other servers Jboss, Glassfish?
|
||||
* seem to only accept SPNEGO. Below wraps Kerberos into SPNEGO token.
|
||||
*/
|
||||
if(isSpnegoCreate() && negotiationOid.toString().equals(KERBEROS_OID)
|
||||
&& spengoGenerator != null )
|
||||
if (spengoGenerator != null && negotiationOid.toString().equals(KERBEROS_OID)) {
|
||||
token = spengoGenerator.generateSpnegoDERObject(token);
|
||||
}
|
||||
|
||||
if (log.isDebugEnabled()) {
|
||||
log.info("got token, sending " + token.length + " bytes to server");
|
||||
|
|
@ -325,24 +321,6 @@ public class NegotiateScheme implements AuthScheme {
|
|||
stripPort = stripport;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sould an attempt be made to wrap Kerberos ticket up as an SPNEGO token.
|
||||
* Use only with Java <= 1.5
|
||||
* @return
|
||||
*/
|
||||
public boolean isSpnegoCreate() {
|
||||
return spnegoCreate;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set to true if an attempt should be made to wrap Kerberos ticket up as an SPNEGO token.
|
||||
* Use only with Java <= 1.5
|
||||
* @param spnegocreate - set to true do attempt SPNEGO wrapping
|
||||
*/
|
||||
public void setSpnegoCreate(boolean spnegocreate) {
|
||||
spnegoCreate = spnegocreate;
|
||||
}
|
||||
|
||||
/**
|
||||
* Inject the class to be used to generate an SPNEGO token from a Kerberos ticket.
|
||||
* Use only with Java <= 1.5 , tested against Jboss Negotiate.
|
||||
|
|
|
|||
|
|
@ -39,13 +39,11 @@ import org.apache.http.params.HttpParams;
|
|||
public class NegotiateSchemeFactory implements AuthSchemeFactory {
|
||||
|
||||
private boolean stripPort = false; // strip port off kerb name
|
||||
private boolean spnegoCreate = false; // generate an SPNEGO wrapper for JDKs < 1.6.
|
||||
private SpnegoTokenGenerator spengoGenerator = null;
|
||||
|
||||
public AuthScheme newInstance(final HttpParams params) {
|
||||
NegotiateScheme negotiateScheme = new NegotiateScheme();
|
||||
negotiateScheme.setStripPort(stripPort);
|
||||
negotiateScheme.setSpnegoCreate(spnegoCreate);
|
||||
negotiateScheme.setSpengoGenerator(spengoGenerator);
|
||||
return negotiateScheme;
|
||||
}
|
||||
|
|
@ -62,14 +60,6 @@ public class NegotiateSchemeFactory implements AuthSchemeFactory {
|
|||
return stripPort;
|
||||
}
|
||||
|
||||
public void setSpnegoCreate(boolean spnegoCreate) {
|
||||
this.spnegoCreate = spnegoCreate;
|
||||
}
|
||||
|
||||
public boolean isSpnegoCreate() {
|
||||
return spnegoCreate;
|
||||
}
|
||||
|
||||
public void setSpengoGenerator(SpnegoTokenGenerator spengoGenerator) {
|
||||
this.spengoGenerator = spengoGenerator;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -422,7 +422,8 @@ httpclient.addRequestInterceptor(preemptiveAuth, 0);
|
|||
<section>
|
||||
<title><literal>SPNEGO</literal> support in HttpClient</title>
|
||||
<para><literal>SPNEGO</literal> authentication scheme is compatible with Sun Java
|
||||
versions 1.5 and up.</para>
|
||||
versions 1.5 and up. However the use of Java >= 1.6 is strongly recommended as it
|
||||
supports <literal>SPNEGO</literal> authentication more completely.</para>
|
||||
<para>The Sun JRE provides the supporting classes to do nearly all the kerberos and
|
||||
<literal>SPNEGO</literal> token handling. This means that a lot of the setup is
|
||||
for the GSS classes. The <classname>NegotiateScheme</classname> is a simple class to
|
||||
|
|
@ -454,7 +455,7 @@ httpclient.addRequestInterceptor(preemptiveAuth, 0);
|
|||
<section>
|
||||
<title><literal>login.conf</literal> file</title>
|
||||
<para>The following configuration is a basic setup that works in Windows XP against both
|
||||
<literal>IIS7</literal> and <literal>JbossNegotiate</literal> modules.</para>
|
||||
<literal>IIS</literal> and <literal>JBoss Negotiation</literal> modules.</para>
|
||||
<para>The system property <literal>java.security.auth.login.config</literal> can be use
|
||||
to point at the <literal>login.conf</literal> file.</para>
|
||||
<para><literal>login.conf</literal> content may look like the following:</para>
|
||||
|
|
@ -536,24 +537,16 @@ httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, nsf);
|
|||
<classname>NegotiateSchemeFactory</classname>. </para>
|
||||
<section>
|
||||
<title>
|
||||
<methodname>setStripPort</methodname>
|
||||
<methodname>#setStripPort(boolean)</methodname>
|
||||
</title>
|
||||
<para>Strips the port off service names e.g.
|
||||
<literal>HTTP/webserver.ad.example.net:8080</literal> ->
|
||||
<literal>HTTP/webserver.ad.example.net</literal></para>
|
||||
<para>Found it useful when using JbossNegotiation.</para>
|
||||
<para>Found it useful when authenticating against JBoss Negotiation.</para>
|
||||
</section>
|
||||
<section>
|
||||
<title>
|
||||
<methodname>setSpnegoCreate</methodname>
|
||||
</title>
|
||||
<para>If using Java 1.5 or a Kerberos ticket an attempt will be made to wrap it up
|
||||
into a <literal>SPNEGO</literal> token. Again for JbossNegotiation. II7 accepts
|
||||
plain Kerberos tickets.</para>
|
||||
</section>
|
||||
<section>
|
||||
<title>
|
||||
<methodname>setSpengoGenerator</methodname>
|
||||
<methodname>#setSpengoGenerator(SpnegoTokenGenerator)</methodname>
|
||||
</title>
|
||||
<para>Use this method to inject a custom
|
||||
<interfacename>SpnegoTokenGenerator</interfacename> class to do the Kerberos
|
||||
|
|
@ -561,7 +554,9 @@ httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, nsf);
|
|||
<classname>BouncySpnegoTokenGenerator</classname> implementation is provided
|
||||
as unsupported contribution from the contrib package. This requires the
|
||||
BouncyCastle libs <ulink url="http://www.bouncycastle.org/java.html"
|
||||
>"http://www.bouncycastle.org/java.html"</ulink>
|
||||
>"http://www.bouncycastle.org/java.html"</ulink>. Found especially useful
|
||||
when using Java 1.5 that is known to provide only a limited support for
|
||||
<literal>SPNEGO</literal> authentication.
|
||||
</para>
|
||||
</section>
|
||||
</section>
|
||||
|
|
|
|||
Loading…
Reference in New Issue