[
https://issues.apache.org/jira/browse/HTTPCLIENT-1625?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17876645#comment-17876645
]
Istvan Toth commented on HTTPCLIENT-1625:
-----------------------------------------
Thank you, then we agree.
By authentication fails locally I mean that the server returns a 200/other
successful response, mutual auth is enabled by us, and GSS processing throws an
exception, or the GSS Context is not not established, or it is established but
the mutual auth flag is not set on it.
Reasons could be:
Server has ignored our mutual auth request, and never sent the last token
Server has sent the mutual auth token, but our GSS library has not accepted it.
What I'm trying to say that if we get this far in the process, then a failure
here has a good chance of being an actual attack.
> Completely overhaul GSS-API-based authentication backend
> --------------------------------------------------------
>
> Key: HTTPCLIENT-1625
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1625
> Project: HttpComponents HttpClient
> Issue Type: Task
> Components: Documentation, HttpClient (classic)
> Affects Versions: 4.5
> Reporter: Michael Osipov
> Priority: Major
> Labels: stuck, volunteers-wanted
>
> The current implementation does not reflect the way GSS-API-based
> authentication should be done. It has several design flaws.
> This is an umbrella task for:
> 1. Deprecate all old classes
> 2. Investigate how it has to be plugged into HttpClient
> 3. Reimplement from scratch
> 4. Thoroughly test all new stuff
> 5. Rewrite documentation
> Design notes are canonically available under:
> https://wiki.apache.org/HttpComponents/IssueTracking/HTTPCLIENT-1625
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
