diff --git a/httpclient/src/examples/org/apache/http/examples/client/ClientKerberosAuthentication.java b/httpclient/src/examples/org/apache/http/examples/client/ClientKerberosAuthentication.java index e1cb33954..c0a77ad3f 100644 --- a/httpclient/src/examples/org/apache/http/examples/client/ClientKerberosAuthentication.java +++ b/httpclient/src/examples/org/apache/http/examples/client/ClientKerberosAuthentication.java @@ -52,8 +52,31 @@ import org.apache.http.protocol.HttpContext; /** * Kerberos auth example. - *
- * krb5.conf + * + *
Takes one arguement args[0] = 'http://examplehost/path/'
+ *For the best compatibility use Java >= 1.6 as it supports SPNEGO authentication more + completely.
+ *NegotiateSchemeFactory
+ *Has three custom methods
+ *setStripPort(boolean) - default is false, with strip the port off the Kerberos + * service name if true. Found useful with JbossNegotiation. Java >= 1.5
+ * + *Below are for Java 1.5.
+ * + *setSpnegoCreate(boolean) - defaults to false, try to create an SPNEGO token via + * the token set in setSpengoGenerator. TODO - merge logic so just setSpengoGenerator
+ * + *setSpengoGenerator(new SpnegoTokenGenerator()) - default is null, class to use to wrap + * kerberos token. An example is in contrib - org.apache.http.contrib.auth.BouncySpnegoTokenGenerator. + * Requires use of bouncy castle libs + *
+ * + *Two files control how Java uses/configures Kerberos. Very basic examples are below. There + * is a large amount of information on the web.
+ *krb5.conf
** [libdefaults] * default_realm = AD.EXAMPLE.NET @@ -122,19 +145,22 @@ public class ClientKerberosAuthentication { DefaultHttpClient httpclient = new DefaultHttpClient(); + /* NegotiateSchemeFactory creates the NegotiateScheme instance to be use for each request + * if using Java 5/6 and IIS7 you can just use the defaults. JbossNegotiate use setStripPort(true), + * or add service names with ports to kerberos DB. JbossNegotiate needs Java 6 or a SpengoGenerator. + */ + NegotiateSchemeFactory negotiateFact = new NegotiateSchemeFactory(); +// negotiateFact.setStripPort(false); +// negotiateFact.setSpnegoCreate(true); +// negotiateFact.setSpengoGenerator(new BouncySpnegoTokenGenerator()); + AuthSchemeRegistry authSchemeRegistry = httpclient.getAuthSchemes(); authSchemeRegistry.unregister("basic"); authSchemeRegistry.unregister("digest"); authSchemeRegistry.unregister("NTLM"); - - NegotiateSchemeFactory negotiateFact = new NegotiateSchemeFactory(); - negotiateFact.setStripPort(false); - negotiateFact.setSpnegoCreate(false); -// negotiateFact.setSpengoGenerator(new BouncySpnegoTokenGenerator()); - authSchemeRegistry.register("Negotiate", negotiateFact); - // authSchemeRegistry.register("NTLM", new NTLMSchemeFactory()); - // authSchemeRegistry.register("Basic", new BasicSchemeFactory()); +// authSchemeRegistry.register("NTLM", new NTLMSchemeFactory()); +// authSchemeRegistry.register("Basic", new BasicSchemeFactory()); httpclient.setAuthSchemes(authSchemeRegistry); Credentials use_jaas_creds = new Credentials() { diff --git a/httpclient/src/main/java/org/apache/http/impl/auth/NegotiateSchemeFactory.java b/httpclient/src/main/java/org/apache/http/impl/auth/NegotiateSchemeFactory.java index 3cd39f8d6..8102fe2db 100644 --- a/httpclient/src/main/java/org/apache/http/impl/auth/NegotiateSchemeFactory.java +++ b/httpclient/src/main/java/org/apache/http/impl/auth/NegotiateSchemeFactory.java @@ -40,7 +40,7 @@ public class NegotiateSchemeFactory implements AuthSchemeFactory { negotiateScheme.setStripPort(stripPort); negotiateScheme.setSpnegoCreate(spnegoCreate); negotiateScheme.setSpengoGenerator(spengoGenerator); - return new NegotiateScheme(); + return negotiateScheme; } public NegotiateSchemeFactory(){ diff --git a/src/docbkx/authentication.xml b/src/docbkx/authentication.xml index 3ca2bc52a..be37a5296 100644 --- a/src/docbkx/authentication.xml +++ b/src/docbkx/authentication.xml @@ -94,6 +94,8 @@ pwd Despite its insecurity Basic authentication scheme is perfectly adequate if used in combination with the TLS/SSL encryption. + ++ + Digest Digest authentication scheme as defined in RFC 2617. Digest authentication @@ -101,6 +103,8 @@ pwd those applications that do not want the overhead of full transport security through TLS/SSL encryption. + + NTLM: NTLM is a proprietary authentication scheme developed by Microsoft and @@ -126,6 +130,8 @@ pwd If this parameter is not set HttpClient will handle authentication automatically. + + 'http.auth.credential-charset': defines the charset to be used when encoding user credentials. This @@ -146,6 +152,8 @@ pwd Basic: Basic authentication scheme + + Digest: Digest authentication scheme @@ -225,18 +233,24 @@ null authentication scheme registry. The value of this attribute set in the local context takes precedence over the default one.+ + 'http.auth.credentials-provider': CookieSpec instance representing the actual credentials provider. The value of this attribute set in the local context takes precedence over the default one.+ + 'http.auth.target-scope': AuthState instance representing the actual target authentication state. The value of this attribute set in the local context takes precedence over the default one.'http.auth.proxy-scope': AuthState instance representing the actual proxy