Re: [9] RFR 8138953: HttpURLConnection doesn't fallback to another auth scheme if negotiate process failed

Wed, 07 Oct 2015 07:41:39 -0700 

I will look into this. Busy on something else at the moment.

Do you think this would happen in reality? There weren't a lot of fallback in 
HTTP auth, IMO, is that because in most cases username and password are the 
same for all schemes, and if one fails, we believe the pair is wrong and there 
is no need to try another. Negotiate was picked as a special case because 
configuration could go wrong even if the username and password are correct, and 
we provide a fallback.

For example, what about fallback from Digest to Basic? Could the digest 
credentials be provided correctly at first and wrong later? What would happen?

I haven't read the HttpURLConnection class for a long time and I could be wrong.

Thanks
Max

> On Oct 7, 2015, at 7:19 PM, Artem Smotrakov <artem.smotra...@oracle.com> 
> wrote:
> 
> Hello,
> 
> Please review this for 9.
> 
> According to [1], an HTTP client should try to use another HTTP 
> authentication scheme if negotiate process failed for some reason, and a user 
> didn't specify SPNEGO or Kerberos in "http.auth.preference" system property. 
> But no fallback happens if, for example: 
> - an HTTP server supports both Negotiate (via Kerberos) and Basic 
> authentication schemes 
> - first, a user provides correct Kerberos credentials, and a connection is 
> successfully established with Negotiate scheme 
> - then, a user provides wrong Kerberos credentials, but correct Basic 
> credentials
> 
> This fix updates HttpURLConnection to try another authentication scheme 
> negotiate process failed, and SPNEGO and Kerberos schemes are not preferred. 
> The fix may be shorter, for example:
> 
> if ( serverAuthentication != null || inNegotiate && 
> !"negotiate".equals(AuthenticationHeader.authPref)) {
> 
> , but I thought that some logging might be helpful.
> 
> Also added a test which checks this and a couple of other scenarios work fine.
> 
> Bug: https://bugs.openjdk.java.net/browse/JDK-8138953
> Webrev: http://cr.openjdk.java.net/~asmotrak/8138953/webrev.00/
> 
> [1] https://docs.oracle.com/javase/8/docs/technotes/guides/net/http-auth.html
> 
> Artem

Reply via email to