[
https://issues.apache.org/jira/browse/HTTPCLIENT-1625?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17876177#comment-17876177
]
Istvan Toth commented on HTTPCLIENT-1625:
-----------------------------------------
I have a somewhat working implementation.
However, I'm a bit stuck on the user-facing API side:
The current HttpAuthenticator swallows all exceptions, and just returns the
last 40x response if there are any problems.
We are losing quite a bit of information there (Did the server reject our auth
response ? Did the server send a challange, but we were unable to process it
?), but that's the how HTTP is traditionally handled from the client side.
Options that I can see to handle mutual Auth failure:
1. Bubble up the failure to HttpClient as an exception
This ensures that the caller is aware of the problem, but we lose the actual
response contents.
Maybe add the Response object to the Exception ???
2. Return the mutual auth status in HttpContext
We keep the original response, but the client will have to add some
non-intuitive code to check the auth status.
The responseHandler will also have already processed the response by the time
the caller gets a Chance to check the status.
This only works for HttpClient methods that pass a HttpContext, and it's not
trivial how to map the error to the authExchange (target/proxy)
I also haven't checked how this could work with the Async client.
3. Add a synthetic header to the response with the authentication information.
What do you think ?
I'm leaning towards just bubbling up the Exception, I don't consider
HttpAuthenticator as a public API.
> Completely overhaul GSS-API-based authentication backend
> --------------------------------------------------------
>
> Key: HTTPCLIENT-1625
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1625
> Project: HttpComponents HttpClient
> Issue Type: Task
> Components: Documentation, HttpClient (classic)
> Affects Versions: 4.5
> Reporter: Michael Osipov
> Priority: Major
> Labels: stuck, volunteers-wanted
>
> The current implementation does not reflect the way GSS-API-based
> authentication should be done. It has several design flaws.
> This is an umbrella task for:
> 1. Deprecate all old classes
> 2. Investigate how it has to be plugged into HttpClient
> 3. Reimplement from scratch
> 4. Thoroughly test all new stuff
> 5. Rewrite documentation
> Design notes are canonically available under:
> https://wiki.apache.org/HttpComponents/IssueTracking/HTTPCLIENT-1625
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
