HTTPCLIENT-1545: Possible infinite loop when WindowsNegotiateScheme authentication fails

Contributed by Ka-Lok Fung <ka-lok.fung at sap.com>

git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@1618551 13f79535-47bb-0310-9956-ffa450edef68

httpclient-win/pom.xml

@@ -45,6 +45,13 @@
       <version>${project.version}</version>
       <scope>compile</scope>
     </dependency>
+    <dependency>
+      <groupId>org.apache.httpcomponents</groupId>
+      <artifactId>httpclient</artifactId>
+      <version>${project.version}</version>
+      <scope>test</scope>
+      <classifier>tests</classifier>
+    </dependency>
     <dependency>
       <groupId>net.java.dev.jna</groupId>
       <artifactId>jna</artifactId>

httpclient-win/src/main/java/org/apache/http/impl/auth/win/WindowsNegotiateScheme.java

@@ -127,7 +127,6 @@ public class WindowsNegotiateScheme extends AuthSchemeBase {
         return true;
     }
 
-
     @Override
     protected void parseChallenge(
             final CharArrayBuffer buffer,
@@ -177,11 +176,11 @@ public class WindowsNegotiateScheme extends AuthSchemeBase {
                 response = getToken(null, null,
                         this.servicePrincipalName != null ? this.servicePrincipalName : username);
             } catch (Throwable t) {
-                dispose();
+                failAuthCleanup();
                 throw new AuthenticationException("Authentication Failed", t);
             }
         } else if (this.challenge == null || this.challenge.isEmpty()) {
-            dispose();
+            failAuthCleanup();
             throw new AuthenticationException("Authentication Failed");
         } else {
             try {
@@ -191,7 +190,7 @@ public class WindowsNegotiateScheme extends AuthSchemeBase {
                 response = getToken(this.sppicontext, continueTokenBuffer,
                         this.servicePrincipalName != null ? this.servicePrincipalName : "localhost");
             } catch (Throwable t) {
-                dispose();
+                failAuthCleanup();
                 throw new AuthenticationException("Authentication Failed", t);
             }
         }
@@ -209,6 +208,11 @@ public class WindowsNegotiateScheme extends AuthSchemeBase {
         return new BufferedHeader(buffer);
     }
 
+    private void failAuthCleanup() {
+        dispose();
+        this.continueNeeded = false;
+    }
+
     // See http://msdn.microsoft.com/en-us/library/windows/desktop/aa375506(v=vs.85).aspx
     private String getToken(
             final CtxtHandle continueCtx,
@@ -252,5 +256,3 @@ public class WindowsNegotiateScheme extends AuthSchemeBase {
     }
 
 }
-
-

httpclient-win/src/test/java/org/apache/http/impl/auth/win/TestWindowsNegotiateScheme.java

@@ -0,0 +1,116 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+package org.apache.http.impl.auth.win;
+
+import java.io.IOException;
+
+import org.apache.http.HttpException;
+import org.apache.http.HttpHost;
+import org.apache.http.HttpRequest;
+import org.apache.http.HttpResponse;
+import org.apache.http.HttpStatus;
+import org.apache.http.auth.AUTH;
+import org.apache.http.auth.AuthSchemeProvider;
+import org.apache.http.client.CredentialsProvider;
+import org.apache.http.client.config.AuthSchemes;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.config.Registry;
+import org.apache.http.config.RegistryBuilder;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.impl.client.SystemDefaultCredentialsProvider;
+import org.apache.http.impl.client.WinHttpClients;
+import org.apache.http.localserver.LocalServerTestBase;
+import org.apache.http.protocol.HttpContext;
+import org.apache.http.protocol.HttpRequestHandler;
+import org.apache.http.util.EntityUtils;
+import org.junit.After;
+import org.junit.Assume;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * Unit tests for Windows negotiate authentication.
+ */
+public class TestWindowsNegotiateScheme extends LocalServerTestBase {
+
+    @Before @Override
+    public void setUp() throws Exception {
+        super.setUp();
+        this.serverBootstrap.registerHandler("/", new HttpRequestHandler() {
+
+            @Override
+            public void handle(
+                    final HttpRequest request,
+                    final HttpResponse response,
+                    final HttpContext context) throws HttpException, IOException {
+                response.addHeader(AUTH.WWW_AUTH, AuthSchemes.SPNEGO);
+                response.setStatusCode(HttpStatus.SC_UNAUTHORIZED);
+            }
+
+        });
+    }
+
+    @After @Override
+    public void shutDown() throws Exception {
+        super.shutDown();
+    }
+
+    @Test(timeout=30000) // this timeout (in ms) needs to be extended if you're actively debugging the code
+    public void testNoInfiniteLoopOnSPNOutsideDomain() throws Exception {
+        Assume.assumeTrue("Test can only be run on Windows", WinHttpClients.isWinAuthAvailable());
+
+        // HTTPCLIENT-1545
+        // If a service principle name (SPN) from outside your Windows domain tree (e.g., HTTP/EXAMPLE.COM) is used,
+        // InitializeSecurityContext will return SEC_E_DOWNGRADE_DETECTED (decimal: -2146892976, hex: 0x80090350).
+        // Because WindowsNegotiateScheme wasn't setting the completed state correctly when authentication fails,
+        // HttpClient goes into an infinite loop, constantly retrying the negotiate authentication to kingdom
+        // come. This error message, "The system detected a possible attempt to compromise security. Please ensure that
+        // you can contact the server that authenticated you." is associated with SEC_E_DOWNGRADE_DETECTED.
+
+        final Registry<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder.<AuthSchemeProvider>create()
+                .register(AuthSchemes.SPNEGO, new WindowsNegotiateSchemeFactory("HTTP/EXAMPLE.COM"))
+                .build();
+        final CredentialsProvider credsProvider = new WindowsCredentialsProvider(new SystemDefaultCredentialsProvider());
+        final CloseableHttpClient customClient = HttpClientBuilder.create()
+                .setDefaultCredentialsProvider(credsProvider)
+                .setDefaultAuthSchemeRegistry(authSchemeRegistry).build();
+
+        final HttpHost target = start();
+        final HttpGet httpGet = new HttpGet("/");
+        final CloseableHttpResponse response = customClient.execute(target, httpGet);
+        try {
+            EntityUtils.consume(response.getEntity());
+        } finally {
+            response.close();
+        }
+    }
+
+}
+
+