Apache
/
httpcomponents-client
mirror of https://github.com/apache/httpcomponents-client.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

HTTPCLIENT-901: pass HttpContext as a parameter to the AuthScheme#authenticate. Some complex auth scheme may require access to the execution context in order to work 

git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@932051 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Oleg Kalnichevski 2010-04-08 18:29:52 +00:00
parent 659a47be1d
commit c80ee8a78d
9 changed files with 172 additions and 138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
httpclient/src/main/java/org/apache/http/auth/AuthScheme.java
View File

@ -48,7 +48,10 @@ import org.apache.http.HttpRequest;
* <p>
* Authentication schemes may be stateful involving a series of
* challenge-response exchanges.
*
* <p>
* IMPORTANT: implementations of this interface MUST also implement {@link ContextAwareAuthScheme}
* interface in order to remain API compatible with newer versions of HttpClient.
*
* @since 4.0
*/
@ -117,7 +120,10 @@ public interface AuthScheme {
* be generated due to an authentication failure
*
* @return the authorization string
*
* @deprecated Use {@link ContextAwareAuthScheme#authenticate(Credentials, HttpRequest, org.apache.http.protocol.HttpContext)}
*/
@Deprecated
Header authenticate(Credentials credentials, HttpRequest request)
throws AuthenticationException;

2
httpclient/src/main/java/org/apache/http/auth/ContextAwareAuthScheme.java
View File

@ -35,6 +35,8 @@ import org.apache.http.protocol.HttpContext;
* that requires access to {@link HttpContext} in order to
* generate an authorization string.
*
* TODO: Fix AuthScheme interface in the next major version
*
* @since 4.1
*/

1
httpclient/src/main/java/org/apache/http/client/protocol/RequestProxyAuthentication.java
View File

@ -60,6 +60,7 @@ public class RequestProxyAuthentication implements HttpRequestInterceptor {
super();
}
@SuppressWarnings("deprecation")
public void process(final HttpRequest request, final HttpContext context)
throws HttpException, IOException {
if (request == null) {

1
httpclient/src/main/java/org/apache/http/client/protocol/RequestTargetAuthentication.java
View File

@ -60,6 +60,7 @@ public class RequestTargetAuthentication implements HttpRequestInterceptor {
super();
}
@SuppressWarnings("deprecation")
public void process(final HttpRequest request, final HttpContext context)
throws HttpException, IOException {
if (request == null) {

17
httpclient/src/main/java/org/apache/http/impl/auth/AuthSchemeBase.java
View File

@ -30,10 +30,14 @@ import org.apache.http.annotation.NotThreadSafe;
import org.apache.http.FormattedHeader;
import org.apache.http.Header;
import org.apache.http.HttpRequest;
import org.apache.http.auth.AUTH;
import org.apache.http.auth.AuthScheme;
import org.apache.http.auth.AuthenticationException;
import org.apache.http.auth.ContextAwareAuthScheme;
import org.apache.http.auth.Credentials;
import org.apache.http.auth.MalformedChallengeException;
import org.apache.http.protocol.HTTP;
import org.apache.http.protocol.HttpContext;
import org.apache.http.util.CharArrayBuffer;
/**
@ -47,7 +51,7 @@ import org.apache.http.util.CharArrayBuffer;
* @since 4.0
*/
@NotThreadSafe // proxy
public abstract class AuthSchemeBase implements AuthScheme {
public abstract class AuthSchemeBase implements ContextAwareAuthScheme {
/**
* Flag whether authenticating against a proxy.
@ -111,6 +115,15 @@ public abstract class AuthSchemeBase implements AuthScheme {
parseChallenge(buffer, pos, buffer.length());
}
@SuppressWarnings("deprecation")
public Header authenticate(
final Credentials credentials,
final HttpRequest request,
final HttpContext context) throws AuthenticationException {
return authenticate(credentials, request);
}
protected abstract void parseChallenge(
CharArrayBuffer buffer, int pos, int len) throws MalformedChallengeException;

233
httpclient/src/main/java/org/apache/http/impl/auth/NegotiateScheme.java
View File

@ -31,13 +31,17 @@ import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.http.Header;
import org.apache.http.HttpHost;
import org.apache.http.HttpRequest;
import org.apache.http.auth.AuthScheme;
import org.apache.http.auth.AUTH;
import org.apache.http.auth.AuthenticationException;
import org.apache.http.auth.ContextAwareAuthScheme;
import org.apache.http.auth.Credentials;
import org.apache.http.auth.InvalidCredentialsException;
import org.apache.http.auth.MalformedChallengeException;
import org.apache.http.message.BasicHeader;
import org.apache.http.protocol.ExecutionContext;
import org.apache.http.protocol.HttpContext;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
@ -50,7 +54,7 @@ import org.ietf.jgss.Oid;
*
* @since 4.1
*/
public class NegotiateScheme implements AuthScheme {
public class NegotiateScheme implements ContextAwareAuthScheme {
private static final int UNINITIATED = 0;
private static final int INITIATED = 1;
@ -60,17 +64,15 @@ public class NegotiateScheme implements AuthScheme {
private static final String SPNEGO_OID = "1.3.6.1.5.5.2";
private static final String KERBEROS_OID = "1.2.840.113554.1.2.2";
private final Log log;
private final Log log = LogFactory.getLog(getClass());
/* stripPort removes ports from the generated Service Name.
* Helpful if you don't/can't have all SN:port combo's in AD/Directory.
* Probably a debatable addition.
*/
private boolean stripPort = false;
private final SpnegoTokenGenerator spengoGenerator;
private SpnegoTokenGenerator spengoGenerator = null;
private final boolean stripPort;
private GSSContext context = null;
private boolean proxy;
private GSSContext gssContext = null;
/** Authentication process state */
private int state;
@ -84,73 +86,21 @@ public class NegotiateScheme implements AuthScheme {
* Default constructor for the Negotiate authentication scheme.
*
*/
public NegotiateScheme() {
public NegotiateScheme(final SpnegoTokenGenerator spengoGenerator, boolean stripPort) {
super();
log = LogFactory.getLog(getClass());
state = UNINITIATED;
this.state = UNINITIATED;
this.spengoGenerator = spengoGenerator;
this.stripPort = stripPort;
}
/**
* Init GSSContext for negotiation.
*
* @param server servername only (e.g: radar.it.su.se)
*/
protected void init(String server) throws GSSException {
if (log.isDebugEnabled()) {
log.debug("init " + server);
}
/* Using the SPNEGO OID is the correct method.
* Kerberos v5 works for IIS but not JBoss. Unwrapping
* the initial token when using SPNEGO OID looks like what is
* described here...
*
* http://msdn.microsoft.com/en-us/library/ms995330.aspx
*
* Another helpful URL...
*
* http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_token.html
*
* Unfortunately SPNEGO is JRE >=1.6.
*/
/** Try SPNEGO by default, fall back to Kerberos later if error */
negotiationOid = new Oid(SPNEGO_OID);
boolean tryKerberos = false;
try{
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName("HTTP/"+server, null);
context = manager.createContext(
serverName.canonicalize(negotiationOid), negotiationOid, null,
GSSContext.DEFAULT_LIFETIME);
context.requestMutualAuth(true);
context.requestCredDeleg(true);
} catch (GSSException ex){
// BAD MECH means we are likely to be using 1.5, fall back to Kerberos MECH.
// Rethrow any other exception.
if (ex.getMajor() == GSSException.BAD_MECH ){
log.debug("GSSException BAD_MECH, retry with Kerberos MECH");
tryKerberos = true;
} else {
throw ex;
}
}
if (tryKerberos){
/* Kerberos v5 GSS-API mechanism defined in RFC 1964.*/
log.debug("Using Kerberos MECH " + KERBEROS_OID);
negotiationOid = new Oid(KERBEROS_OID);
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName("HTTP/"+server, null);
context = manager.createContext(
serverName.canonicalize(negotiationOid), negotiationOid, null,
GSSContext.DEFAULT_LIFETIME);
context.requestMutualAuth(true);
context.requestCredDeleg(true);
}
state = INITIATED;
public NegotiateScheme(final SpnegoTokenGenerator spengoGenerator) {
this(spengoGenerator, false);
}
public NegotiateScheme() {
this(null, false);
}
/**
* Tests if the Negotiate authentication process has been completed.
*
@ -171,6 +121,13 @@ public class NegotiateScheme implements AuthScheme {
return "Negotiate";
}
@Deprecated
public Header authenticate(
final Credentials credentials,
final HttpRequest request) throws AuthenticationException {
return authenticate(credentials, request, null);
}
/**
* Produces Negotiate authorization Header based on token created by
* processChallenge.
@ -184,30 +141,96 @@ public class NegotiateScheme implements AuthScheme {
*
* @return an Negotiate authorisation Header
*/
public Header authenticate(Credentials credentials,
HttpRequest request) throws AuthenticationException {
public Header authenticate(
final Credentials credentials,
final HttpRequest request,
final HttpContext context) throws AuthenticationException {
if (request == null) {
throw new IllegalArgumentException("HTTP request may not be null");
}
if (state == UNINITIATED) {
throw new IllegalStateException(
"Negotiation authentication process has not been initiated");
}
try {
if (context==null) {
if (isStripPort()) {
init( (request.getLastHeader("Host")).getValue().replaceAll(":[0-9]+$", "") );
} else {
init( (request.getLastHeader("Host")).getValue());
}
String key = null;
if (isProxy()) {
key = ExecutionContext.HTTP_PROXY_HOST;
} else {
key = ExecutionContext.HTTP_TARGET_HOST;
}
HttpHost host = (HttpHost) context.getAttribute(key);
if (host == null) {
throw new AuthenticationException("Authentication host is not set " +
"in the execution context");
}
String authServer;
if (!this.stripPort && host.getPort() > 0) {
authServer = host.toHostString();
} else {
authServer = host.getHostName();
}
if (log.isDebugEnabled()) {
log.debug("init " + authServer);
}
/* Using the SPNEGO OID is the correct method.
* Kerberos v5 works for IIS but not JBoss. Unwrapping
* the initial token when using SPNEGO OID looks like what is
* described here...
*
* http://msdn.microsoft.com/en-us/library/ms995330.aspx
*
* Another helpful URL...
*
* http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_token.html
*
* Unfortunately SPNEGO is JRE >=1.6.
*/
/** Try SPNEGO by default, fall back to Kerberos later if error */
negotiationOid = new Oid(SPNEGO_OID);
boolean tryKerberos = false;
try {
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName("HTTP/" + authServer, null);
gssContext = manager.createContext(
serverName.canonicalize(negotiationOid), negotiationOid, null,
GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
} catch (GSSException ex){
// BAD MECH means we are likely to be using 1.5, fall back to Kerberos MECH.
// Rethrow any other exception.
if (ex.getMajor() == GSSException.BAD_MECH ){
log.debug("GSSException BAD_MECH, retry with Kerberos MECH");
tryKerberos = true;
} else {
throw ex;
}
}
if (tryKerberos){
/* Kerberos v5 GSS-API mechanism defined in RFC 1964.*/
log.debug("Using Kerberos MECH " + KERBEROS_OID);
negotiationOid = new Oid(KERBEROS_OID);
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName("HTTP/" + authServer, null);
gssContext = manager.createContext(
serverName.canonicalize(negotiationOid), negotiationOid, null,
GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
}
state = INITIATED;
// HTTP 1.1 issue:
// Mutual auth will never complete to do 200 instead of 401 in
// return from server. "state" will never reach ESTABLISHED
// but it works anyway
token = context.initSecContext(token, 0, token.length);
token = gssContext.initSecContext(token, 0, token.length);
/*
* IIS accepts Kerberos and SPNEGO tokens. Some other servers Jboss, Glassfish?
@ -218,7 +241,7 @@ public class NegotiateScheme implements AuthScheme {
}
if (log.isDebugEnabled()) {
log.info("got token, sending " + token.length + " bytes to server");
log.debug("got token, sending " + token.length + " bytes to server");
}
} catch (GSSException gsse) {
state = FAILED;
@ -283,11 +306,19 @@ public class NegotiateScheme implements AuthScheme {
* Processes the Negotiate challenge.
*
*/
public void processChallenge(Header header) throws MalformedChallengeException {
public void processChallenge(final Header header) throws MalformedChallengeException {
if (log.isDebugEnabled()) {
log.debug("Challenge header: " + header);
}
String authheader = header.getName();
String challenge = header.getValue();
if (authheader.equalsIgnoreCase(AUTH.WWW_AUTH)) {
this.proxy = false;
} else if (authheader.equalsIgnoreCase(AUTH.PROXY_AUTH)) {
this.proxy = true;
} else {
throw new MalformedChallengeException("Unexpected header name: " + authheader);
}
if (challenge.startsWith("Negotiate")) {
if(isComplete() == false)
@ -303,31 +334,9 @@ public class NegotiateScheme implements AuthScheme {
}
}
}
public boolean isStripPort() {
return stripPort;
}
/**
* Strips the port off the Kerberos service name e.g. HTTP/webserver.ad.net:8080 -> HTTP/webserver.ad.net
* @param stripport
*/
public void setStripPort(boolean stripport) {
if (stripport){
log.debug("Will strip ports off Service Names e.g. HTTP/server:8080 -> HTTP/server");
} else{
log.debug("Will NOT strip ports off Service Names e.g. HTTP/server:8080 -> HTTP/server");
}
stripPort = stripport;
}
/**
* Inject the class to be used to generate an SPNEGO token from a Kerberos ticket.
* Use only with Java <= 1.5 , tested against Jboss Negotiate.
* @param SpengoGenerator - An SpnegoTokenGenerator implementation Class
*/
public void setSpengoGenerator(SpnegoTokenGenerator SpengoGenerator) {
this.spengoGenerator = SpengoGenerator;
public boolean isProxy() {
return this.proxy;
}
}

31
httpclient/src/main/java/org/apache/http/impl/auth/NegotiateSchemeFactory.java
View File

@ -26,6 +26,7 @@
package org.apache.http.impl.auth;
import org.apache.http.annotation.Immutable;
import org.apache.http.auth.AuthScheme;
import org.apache.http.auth.AuthSchemeFactory;
import org.apache.http.params.HttpParams;
@ -36,34 +37,34 @@ import org.apache.http.params.HttpParams;
*
* @since 4.1
*/
@Immutable
public class NegotiateSchemeFactory implements AuthSchemeFactory {
private boolean stripPort = false; // strip port off kerb name
private SpnegoTokenGenerator spengoGenerator = null;
private final SpnegoTokenGenerator spengoGenerator;
private final boolean stripPort;
public AuthScheme newInstance(final HttpParams params) {
NegotiateScheme negotiateScheme = new NegotiateScheme();
negotiateScheme.setStripPort(stripPort);
negotiateScheme.setSpengoGenerator(spengoGenerator);
return negotiateScheme;
public NegotiateSchemeFactory(final SpnegoTokenGenerator spengoGenerator, boolean stripPort) {
super();
this.spengoGenerator = spengoGenerator;
this.stripPort = stripPort;
}
public NegotiateSchemeFactory(){
super();
public NegotiateSchemeFactory(final SpnegoTokenGenerator spengoGenerator) {
this(spengoGenerator, false);
}
public void setStripPort(boolean stripPort) {
this.stripPort = stripPort;
public NegotiateSchemeFactory() {
this(null, false);
}
public AuthScheme newInstance(final HttpParams params) {
return new NegotiateScheme(this.spengoGenerator, this.stripPort);
}
public boolean isStripPort() {
return stripPort;
}
public void setSpengoGenerator(SpnegoTokenGenerator spengoGenerator) {
this.spengoGenerator = spengoGenerator;
}
public SpnegoTokenGenerator getSpengoGenerator() {
return spengoGenerator;
}

7
httpclient/src/main/java/org/apache/http/impl/auth/SpnegoTokenGenerator.java
View File

@ -29,7 +29,12 @@ package org.apache.http.impl.auth;
import java.io.IOException;
/**
* Implementations should take an Kerberos ticket and transform into a SPNEGO token.
* Abstract SPNEGO token generator. Implementations should take an Kerberos ticket and transform
* into a SPNEGO token.
* <p>
* Implementations of this interface are expected to be thread-safe.
*
* @since 4.1
*/
public interface SpnegoTokenGenerator {

10
src/docbkx/authentication.xml
View File

@ -603,21 +603,17 @@ NegotiateSchemeFactory nsf = new NegotiateSchemeFactory();
httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, nsf);
]]>
</programlisting>
<para>There are several methods that can be used to customize the behaviour of
<para>There are several options that can be used to customize the behaviour of
<classname>NegotiateSchemeFactory</classname>. </para>
<section>
<title>
<methodname>#setStripPort(boolean)</methodname>
</title>
<title>Strip port</title>
<para>Strips the port off service names e.g.
<literal>HTTP/webserver.ad.example.net:8080</literal> ->
<literal>HTTP/webserver.ad.example.net</literal></para>
<para>Found it useful when authenticating against JBoss Negotiation.</para>
</section>
<section>
<title>
<methodname>#setSpengoGenerator(SpnegoTokenGenerator)</methodname>
</title>
<title>Custom <literal>SPNEGO</literal> token generator</title>
<para>Use this method to inject a custom
<interfacename>SpnegoTokenGenerator</interfacename> class to do the Kerberos
to <literal>SPNEGO</literal> token wrapping.