From fb6d73ef384a2589b9d1332d5c0a37aabe4f0550 Mon Sep 17 00:00:00 2001 From: Oleg Kalnichevski Date: Wed, 16 Sep 2009 12:17:13 +0000 Subject: [PATCH] HTTPCLIENT-523: SPNEGO auth scheme * Updated example * Minor code tweaks Contributed by Matthew Stevenson git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@815735 13f79535-47bb-0310-9956-ffa450edef68 --- .../client/ClientKerberosAuthentication.java | 46 +++++++++++++++---- .../impl/auth/NegotiateSchemeFactory.java | 2 +- src/docbkx/authentication.xml | 14 ++++++ 3 files changed, 51 insertions(+), 11 deletions(-) diff --git a/httpclient/src/examples/org/apache/http/examples/client/ClientKerberosAuthentication.java b/httpclient/src/examples/org/apache/http/examples/client/ClientKerberosAuthentication.java index e1cb33954..c0a77ad3f 100644 --- a/httpclient/src/examples/org/apache/http/examples/client/ClientKerberosAuthentication.java +++ b/httpclient/src/examples/org/apache/http/examples/client/ClientKerberosAuthentication.java @@ -52,8 +52,31 @@ import org.apache.http.protocol.HttpContext; /** * Kerberos auth example. - *

- * krb5.conf + * + *

Takes one arguement args[0] = 'http://examplehost/path/'

+ *
Information
+ *

For the best compatibility use Java >= 1.6 as it supports SPNEGO authentication more + completely.

+ *

NegotiateSchemeFactory

+ *

Has three custom methods

+ *

setStripPort(boolean) - default is false, with strip the port off the Kerberos + * service name if true. Found useful with JbossNegotiation. Java >= 1.5

+ * + *

Below are for Java 1.5.

+ * + *

setSpnegoCreate(boolean) - defaults to false, try to create an SPNEGO token via + * the token set in setSpengoGenerator. TODO - merge logic so just setSpengoGenerator

+ * + *

setSpengoGenerator(new SpnegoTokenGenerator()) - default is null, class to use to wrap + * kerberos token. An example is in contrib - org.apache.http.contrib.auth.BouncySpnegoTokenGenerator. + * Requires use of bouncy castle libs + *

+ * + *
Addtional Config Files
+ *

Two files control how Java uses/configures Kerberos. Very basic examples are below. There + * is a large amount of information on the web.

+ *

http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html + *

krb5.conf

*
  * [libdefaults]
  *     default_realm = AD.EXAMPLE.NET
@@ -122,19 +145,22 @@ public class ClientKerberosAuthentication {
 
         DefaultHttpClient httpclient = new DefaultHttpClient();
 
+        /* NegotiateSchemeFactory creates the NegotiateScheme instance to be use for each request
+         * if using Java 5/6 and IIS7 you can just use the defaults. JbossNegotiate use setStripPort(true),
+         * or add service names with ports to kerberos DB. JbossNegotiate needs Java 6 or a SpengoGenerator.
+         */
+        NegotiateSchemeFactory negotiateFact = new NegotiateSchemeFactory();
+//        negotiateFact.setStripPort(false);
+//        negotiateFact.setSpnegoCreate(true);
+//        negotiateFact.setSpengoGenerator(new BouncySpnegoTokenGenerator());
+        
         AuthSchemeRegistry authSchemeRegistry = httpclient.getAuthSchemes();
         authSchemeRegistry.unregister("basic");
         authSchemeRegistry.unregister("digest");
         authSchemeRegistry.unregister("NTLM");
-        
-        NegotiateSchemeFactory negotiateFact = new NegotiateSchemeFactory();
-        negotiateFact.setStripPort(false);
-        negotiateFact.setSpnegoCreate(false);
-//        negotiateFact.setSpengoGenerator(new BouncySpnegoTokenGenerator());
-        
         authSchemeRegistry.register("Negotiate", negotiateFact);
-        //        authSchemeRegistry.register("NTLM", new NTLMSchemeFactory());
-        //        authSchemeRegistry.register("Basic", new BasicSchemeFactory());
+//        authSchemeRegistry.register("NTLM", new NTLMSchemeFactory());
+//        authSchemeRegistry.register("Basic", new BasicSchemeFactory());
         httpclient.setAuthSchemes(authSchemeRegistry);
 
         Credentials use_jaas_creds = new Credentials() {
diff --git a/httpclient/src/main/java/org/apache/http/impl/auth/NegotiateSchemeFactory.java b/httpclient/src/main/java/org/apache/http/impl/auth/NegotiateSchemeFactory.java
index 3cd39f8d6..8102fe2db 100644
--- a/httpclient/src/main/java/org/apache/http/impl/auth/NegotiateSchemeFactory.java
+++ b/httpclient/src/main/java/org/apache/http/impl/auth/NegotiateSchemeFactory.java
@@ -40,7 +40,7 @@ public class NegotiateSchemeFactory implements AuthSchemeFactory {
         negotiateScheme.setStripPort(stripPort);
         negotiateScheme.setSpnegoCreate(spnegoCreate);
         negotiateScheme.setSpengoGenerator(spengoGenerator);
-        return new NegotiateScheme();
+        return negotiateScheme;
     }
 
     public NegotiateSchemeFactory(){
diff --git a/src/docbkx/authentication.xml b/src/docbkx/authentication.xml
index 3ca2bc52a..be37a5296 100644
--- a/src/docbkx/authentication.xml
+++ b/src/docbkx/authentication.xml
@@ -94,6 +94,8 @@ pwd
                         Despite its insecurity Basic authentication scheme is perfectly adequate if
                         used in combination with the TLS/SSL encryption.
                 
+            
+            
                 
                     Digest
                     Digest authentication scheme as defined in RFC 2617. Digest authentication
@@ -101,6 +103,8 @@ pwd
                         those applications that do not want the overhead of full transport security
                         through TLS/SSL encryption.
                 
+            
+            
                 
                     NTLM:
                     NTLM is a proprietary authentication scheme developed by Microsoft and
@@ -126,6 +130,8 @@ pwd
                         If this parameter is not set HttpClient will handle authentication
                         automatically.
                 
+            
+            
                 
                     'http.auth.credential-charset':
                     defines the charset to be used when encoding user credentials. This
@@ -146,6 +152,8 @@ pwd
                     Basic:
                     Basic authentication scheme
                 
+            
+            
                 
                     Digest:
                     Digest authentication scheme
@@ -225,18 +233,24 @@ null
                         authentication scheme registry. The value of this attribute set in the local
                         context takes precedence over the default one.
                 
+            
+            
                 
                     'http.auth.credentials-provider':
                     CookieSpec instance representing the actual
                         credentials provider. The value of this attribute set in the local context
                         takes precedence over the default one.
                 
+            
+            
                 
                     'http.auth.target-scope':
                     AuthState instance representing the actual target
                         authentication state. The value of this attribute set in the local context
                         takes precedence over the default one.
                 
+            
+            
                 
                     'http.auth.proxy-scope':
                     AuthState instance representing the actual proxy