New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP Authorization Manager/ Kerberos Authentication: add port to SPN when server port is neither 80 nor 443 #3394
Comments
@pmouawad (migrated from Bugzilla): Version should be available in nightly build: Installing JMeter runtime Philippe M. |
@pmouawad (migrated from Bugzilla): URL: http://svn.apache.org/r1611028 Modified: |
@pmouawad (migrated from Bugzilla): Thanks for your help in advance |
@FSchumacher (migrated from Bugzilla): As written in the chrome url given in an cited by Dan only chrome supports the port embedded in the spn. IE and firefox will not embed ports into the spn. As SPNEGO is essential a child of microsoft, I would opt to be compatible with IE as the default. (I have done my tests only with firefox, though) The easiest solution would be to introduce a system property to decide which algortihm should be used. But it might be, that someone would like to test two different systems, which behave different in respect to port embedded into spn. (We could wait for that to happen :) |
@pmouawad (migrated from Bugzilla):
With this behaviour , is your note still valid ? If yes I will introduce a system property. |
@FSchumacher (migrated from Bugzilla): So I would opt for generating HTTP/hostname as default for every given port. If someone really wants HTTP/hostname:port for non standard ports (80 and 443) we should give him a chance by setting a system property (something like -Dorg.apache.jmeter.enable-auth-negotiate-port=true) |
@pmouawad (migrated from Bugzilla): |
@FSchumacher (migrated from Bugzilla): Will add a comment, as soon as I tested it against my previous setup (using a tomcat listening on port 8080) Created attachment spnego-strip-ports-option.diff: Add an option to enable the chrome optional behavior spnego-strip-ports-option.diffdiff --git bin/jmeter.properties bin/jmeter.properties
index 4b58e11..862882e 100644
--- bin/jmeter.properties
+++ bin/jmeter.properties
@@ -339,6 +339,10 @@ log_level.jorphan=INFO
# Name of application module used in jaas.conf
#kerberos_jaas_application=JMeter
+# Should ports be stripped from urls before constructing SPNs
+# for spnego authentication
+#spnego.strip_port=true
+
# Sample logging levels for Commons HttpClient
#
# Commons HttpClient Logging information can be found at:
diff --git src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java
index 625ce23..3775b08 100644
--- src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java
+++ src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java
@@ -96,6 +96,9 @@ public class AuthManager extends ConfigTestElement implements TestStateListener,
private static final boolean DEFAULT_CLEAR_VALUE = false;
+ /** Decides whether port should be omitted from SPN for kerberos spnego authentication */
+ private static final boolean STRIP_PORT = JMeterUtils.getPropDefault("spnego.strip_port", true);
+
public enum Mechanism {
BASIC_DIGEST, KERBEROS;
}
@@ -392,8 +395,7 @@ public class AuthManager extends ConfigTestElement implements TestStateListener,
log.debug(username + " > D="+domain+" R="+realm + " M="+auth.getMechanism());
}
if (Mechanism.KERBEROS.equals(auth.getMechanism())) {
- boolean stripPort = (url.getPort() == HTTPConstants.DEFAULT_HTTP_PORT || url.getPort() == HTTPConstants.DEFAULT_HTTPS_PORT);
- ((AbstractHttpClient) client).getAuthSchemes().register(AuthPolicy.SPNEGO, new SPNegoSchemeFactory(stripPort));
+ ((AbstractHttpClient) client).getAuthSchemes().register(AuthPolicy.SPNEGO, new SPNegoSchemeFactory(isStripPort(url)));
credentialsProvider.setCredentials(new AuthScope(null, -1, null), USE_JAAS_CREDENTIALS);
} else {
credentialsProvider.setCredentials(
@@ -403,6 +405,24 @@ public class AuthManager extends ConfigTestElement implements TestStateListener,
}
}
+ /**
+ * IE and Firefox will always strip port from the url before constructing
+ * the SPN. Chrome has an option (<code>--enable-auth-negotiate-port</code>)
+ * to include the port if it differs from <code>80</code> or
+ * <code>443</code>. That behavior can be changed by setting the jmeter
+ * property <code>spnego.stripPort</code>.
+ *
+ * @param url
+ * to be checked
+ * @return <code>true</code> when port should omitted in SPN
+ */
+ private boolean isStripPort(URL url) {
+ if (STRIP_PORT)
+ return true;
+ return url.getPort() == HTTPConstants.DEFAULT_HTTP_PORT
+ || url.getPort() == HTTPConstants.DEFAULT_HTTPS_PORT;
+ }
+
/** {@inheritDoc} */
@Override
public void testStarted() {
diff --git xdocs/usermanual/component_reference.xml xdocs/usermanual/component_reference.xml
index fca72e5..72a7327 100644
--- xdocs/usermanual/component_reference.xml
+++ xdocs/usermanual/component_reference.xml
@@ -3537,6 +3537,17 @@ Look at the two sample configuration files (krb5.conf and jaas.conf) located in
your Kerberos configuration.
</p>
<br></br>
+<p>
+When generating a SPN for Kerberos SPNEGO authentication IE and Firefox will omit the port number
+from the url. Chrome has an option (<code>--enable-auth-negotiate-port</code>) to include the port
+number if it differs from the standard ones (<code>80</code> and <code>443</code>). That behavior
+can be emulated by setting the following jmeter property as below.
+<pre>
+jmeter.properties:
+spnego.strip_port=false
+</pre>
+</p>
+<br></br>
<b>Controls:</b>
<ul>
<li>Add Button - Add an entry to the authorization table.</li> |
@pmouawad (migrated from Bugzilla): URL: http://svn.apache.org/r1611785 Modified: |
@pmouawad (migrated from Bugzilla): |
@FSchumacher (migrated from Bugzilla): I have tried to change my SPN to HTTP/www.example.com:8080@EXAMPLE.COM. Generated a new ktab for tomcat, changed kerberos.spnego.strip_port to "false". And tried again. It seems to use the correct SPN, but tomcat can't authenticate that SPN with its keytab against apacheds. That might be a setup problem though. So all in all. I think the feature will do, what the original requestor wants. |
dan.haughey (Bug 56701):
We are load testing a server using Kerberos authentication, but the server principal name is not being generated in the format that the server expects. JMeter appears to use this format:
HTTP/example-server.com
but our server expects:
HTTP/example-server.com:12345
(where 12345 is the port number of the site being tested).
Chrome has a command-line switch '--enable-auth-negotiate-port' (disabled by default) that adds this port number to the SPN for sites that are on a port other than 80 or 443. (This is documented at http://dev.chromium.org/developers/design-documents/http-authentication) - using this switch allows the site to be browsed in Chrome.
Could a similar option be added to JMeter? At the moment I've hacked a solution in src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java that adds the port number on if it is a non-standard port to mimic Chrome's behaviour with the switch enabled. This obviously needs putting behind some sort of option but I haven't had time to code this properly. My diff is attached in case this is useful to anyone.
Created attachment add-port-to-spn.diff: Patch to alter SPN generation behaviour in AuthManager.java
add-port-to-spn.diff
OS: All
The text was updated successfully, but these errors were encountered: