* Removed superfluous SpnegoCreate flag

* Finalized SPNEGO example and tutorial

git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@824409 13f79535-47bb-0310-9956-ffa450edef68

RELEASE_NOTES.txt

@@ -1,6 +1,9 @@
 Changes since 4.0
 -------------------
 
+* [HTTPCLIENT-523] Support for SPNEGO authentication scheme.
+  Contributed by Matthew Stevenson <mavricknzwork at yahoo.com>
+
 * Simplified configuration of connection managers. Total connection maximum
   and maximum connection per route limits can be set using methods of 
   the class instead of HTTP parameters.

httpclient/src/examples/org/apache/http/examples/client/ClientKerberosAuthentication.java

@@ -44,21 +44,14 @@ import org.apache.http.util.EntityUtils;
  * <p><b>Information</b></p>
  * <p>For the best compatibility use Java >= 1.6 as it supports SPNEGO authentication more 
       completely.</p>
- * <p><em>NegotiateSchemeFactory</em></p>
+ * <p><em>NegotiateSchemeFactory</em> kas two custom methods</p>
- * <p>Has three custom methods</p>
+ * <p><em>#setStripPort(boolean)</em> - default is false, with strip the port off the Kerberos
- * <p><em>setStripPort(boolean)</em> - default is false, with strip the port off the Kerberos
+ * service name if true. Found useful with JBoss Negotiation. Can be used with Java >= 1.5</p>
- * service name if true. Found useful with JbossNegotiation. Java >= 1.5</p>
+ * <p><em>#setSpengoGenerator(SpnegoTokenGenerator)</em> - default is null, class to use to wrap
- * 
- * <p>Below are for Java 1.5.</p>
- * 
- * <p><em>setSpnegoCreate(boolean)</em> - defaults to false, try to create an SPNEGO token via
- * the token set in setSpengoGenerator. TODO - merge logic so just setSpengoGenerator</p>
- * 
- * <p><em>setSpengoGenerator(new SpnegoTokenGenerator())</em> - default is null, class to use to wrap
  * kerberos token. An example is in contrib - <em>org.apache.http.contrib.auth.BouncySpnegoTokenGenerator</em>.
- * Requires use of <a href="http://www.bouncycastle.org/java.html">bouncy castle libs</a>
+ * Requires use of <a href="http://www.bouncycastle.org/java.html">bouncy castle libs</a>.
+ * Useful with Java 1.5.
  * </p>
- * 
  * <p><b>Addtional Config Files</b></p>
  * <p>Two files control how Java uses/configures Kerberos. Very basic examples are below. There
  * is a large amount of information on the web.</p>
@@ -134,15 +127,8 @@ public class ClientKerberosAuthentication {
         
         DefaultHttpClient httpclient = new DefaultHttpClient();
 
-        /* 
-         * NegotiateSchemeFactory creates the NegotiateScheme instance to be use for each request
-         * if using Java 5/6 and IIS7 you can just use the defaults. 
-         * JbossNegotiate use setStripPort(true), or add service names with ports to kerberos DB. 
-         * JbossNegotiate needs Java 6 or a SpengoGenerator.
-         */
         NegotiateSchemeFactory nsf = new NegotiateSchemeFactory();
 //        nsf.setStripPort(false);
-//        nsf.setSpnegoCreate(true);
 //        nsf.setSpengoGenerator(new BouncySpnegoTokenGenerator());
         
         httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, nsf);

httpclient/src/main/java/org/apache/http/impl/auth/NegotiateScheme.java

@@ -67,10 +67,6 @@ public class NegotiateScheme implements AuthScheme {
      * Probably a debatable addition.
     */
     private boolean stripPort = false;
-    /* spnegoCreate is used to generate an SPNEGO wrapper around
-     * for JDKs < 1.6.
-     */
-    private boolean spnegoCreate = false;
     
     private SpnegoTokenGenerator spengoGenerator = null;
     
@@ -217,9 +213,9 @@ public class NegotiateScheme implements AuthScheme {
              * IIS accepts Kerberos and SPNEGO tokens. Some other servers Jboss, Glassfish?
              * seem to only accept SPNEGO. Below wraps Kerberos into SPNEGO token.
              */
-            if(isSpnegoCreate() && negotiationOid.toString().equals(KERBEROS_OID)
+            if (spengoGenerator != null && negotiationOid.toString().equals(KERBEROS_OID)) {
-                    && spengoGenerator != null )
                 token = spengoGenerator.generateSpnegoDERObject(token);
+            }
 
             if (log.isDebugEnabled()) {
                 log.info("got token, sending " + token.length + " bytes to server");
@@ -325,24 +321,6 @@ public class NegotiateScheme implements AuthScheme {
         stripPort = stripport;
     }
 
-    /**
-     * Sould an attempt be made to wrap Kerberos ticket up as an SPNEGO token.
-     * Use only with Java <= 1.5
-     * @return
-     */
-    public boolean isSpnegoCreate() {
-        return spnegoCreate;
-    }
-
-    /**
-     * Set to true if an attempt should be made to wrap Kerberos ticket up as an SPNEGO token.
-     * Use only with Java <= 1.5
-     * @param spnegocreate - set to true do attempt SPNEGO wrapping 
-     */
-    public void setSpnegoCreate(boolean spnegocreate) {
-        spnegoCreate = spnegocreate;
-    }
-
     /**
      * Inject the class to be used to generate an SPNEGO token from a Kerberos ticket.
      * Use only with Java <= 1.5 , tested against Jboss Negotiate.

httpclient/src/main/java/org/apache/http/impl/auth/NegotiateSchemeFactory.java

@@ -39,13 +39,11 @@ import org.apache.http.params.HttpParams;
 public class NegotiateSchemeFactory implements AuthSchemeFactory {
     
     private boolean stripPort = false; // strip port off kerb name
-    private boolean spnegoCreate = false; // generate an SPNEGO wrapper for JDKs < 1.6.
     private SpnegoTokenGenerator spengoGenerator = null;
     
     public AuthScheme newInstance(final HttpParams params) {
         NegotiateScheme negotiateScheme = new NegotiateScheme();
         negotiateScheme.setStripPort(stripPort);
-        negotiateScheme.setSpnegoCreate(spnegoCreate);
         negotiateScheme.setSpengoGenerator(spengoGenerator);
         return negotiateScheme;
     }
@@ -62,14 +60,6 @@ public class NegotiateSchemeFactory implements AuthSchemeFactory {
         return stripPort;
     }
 
-    public void setSpnegoCreate(boolean spnegoCreate) {
-        this.spnegoCreate = spnegoCreate;
-    }
-
-    public boolean isSpnegoCreate() {
-        return spnegoCreate;
-    }
-
     public void setSpengoGenerator(SpnegoTokenGenerator spengoGenerator) {
         this.spengoGenerator = spengoGenerator;
     }

src/docbkx/authentication.xml

@@ -422,7 +422,8 @@ httpclient.addRequestInterceptor(preemptiveAuth, 0);
         <section>
             <title><literal>SPNEGO</literal> support in HttpClient</title>
             <para><literal>SPNEGO</literal> authentication scheme is compatible with Sun Java
-                versions 1.5 and up.</para>
+                versions 1.5 and up. However the use of Java >= 1.6 is strongly recommended as it 
+                supports <literal>SPNEGO</literal> authentication more completely.</para>
             <para>The Sun JRE provides the supporting classes to do nearly all the kerberos and
                     <literal>SPNEGO</literal> token handling. This means that a lot of the setup is
                 for the GSS classes. The <classname>NegotiateScheme</classname> is a simple class to
@@ -454,7 +455,7 @@ httpclient.addRequestInterceptor(preemptiveAuth, 0);
         <section>
             <title><literal>login.conf</literal> file</title>
             <para>The following configuration is a basic setup that works in Windows XP against both
-                    <literal>IIS7</literal> and <literal>JbossNegotiate</literal> modules.</para>
+                    <literal>IIS</literal> and <literal>JBoss Negotiation</literal> modules.</para>
             <para>The system property <literal>java.security.auth.login.config</literal> can be use
                 to point at the <literal>login.conf</literal> file.</para>
             <para><literal>login.conf</literal> content may look like the following:</para>
@@ -536,24 +537,16 @@ httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, nsf);
                     <classname>NegotiateSchemeFactory</classname>. </para>
             <section>
                 <title>
-                    <methodname>setStripPort</methodname>
+                    <methodname>#setStripPort(boolean)</methodname>
                 </title>
                 <para>Strips the port off service names e.g.
                         <literal>HTTP/webserver.ad.example.net:8080</literal> ->
                         <literal>HTTP/webserver.ad.example.net</literal></para>
-                <para>Found it useful when using JbossNegotiation.</para>
+                <para>Found it useful when authenticating against JBoss Negotiation.</para>
             </section>
             <section>
                 <title>
-                    <methodname>setSpnegoCreate</methodname>
+                    <methodname>#setSpengoGenerator(SpnegoTokenGenerator)</methodname>
-                </title>
-                <para>If using Java 1.5 or a Kerberos ticket an attempt will be made to wrap it up
-                    into a <literal>SPNEGO</literal> token. Again for JbossNegotiation. II7 accepts
-                    plain Kerberos tickets.</para>
-            </section>
-            <section>
-                <title>
-                    <methodname>setSpengoGenerator</methodname>
                 </title>
                 <para>Use this method to inject a custom
                         <interfacename>SpnegoTokenGenerator</interfacename> class to do the Kerberos
@@ -561,7 +554,9 @@ httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, nsf);
                         <classname>BouncySpnegoTokenGenerator</classname> implementation is provided
                     as unsupported contribution from the contrib package. This requires the
                     BouncyCastle libs <ulink url="http://www.bouncycastle.org/java.html"
-                        >"http://www.bouncycastle.org/java.html"</ulink>
+                        >"http://www.bouncycastle.org/java.html"</ulink>. Found especially useful 
+                    when using Java 1.5 that is known to provide only a limited support for 
+                    <literal>SPNEGO</literal> authentication.    
                 </para>
             </section>
         </section>