Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

httpclient5 lacks kerberos support #73

Open
christophvw opened this issue Oct 20, 2023 · 6 comments
Open

httpclient5 lacks kerberos support #73

christophvw opened this issue Oct 20, 2023 · 6 comments

Comments

@christophvw
Copy link

httpclient5 lacks kerberos support for proxy authentication:

https://github.com/eclipse/ecf/blob/master/providers/bundles/org.eclipse.ecf.provider.filetransfer.httpclient5/src/org/eclipse/ecf/internal/provider/filetransfer/httpclient5/HttpClientProxyCredentialProvider.java

} else if ("negotiate".equalsIgnoreCase(authscope.getSchemeName())) {
Trace.trace(Activator.PLUGIN_ID, "SPNEGO is not supported, if you can contribute support, please do so.");

This becomes more important as Microsoft plans to remove NTLM support in future Windows 11 builds.
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848

https://bugs.eclipse.org/bugs/show_bug.cgi?id=561175
@scottslewis
Copy link
Contributor

@christophvw thanks for opening this issue. Not sure if you were aware, but Eclipse is in the process of moving to the JRE-provided impl of httpclient as per eclipse-platform/eclipse.platform.releng.aggregator#1389 (comment) rather than using httpclient5. Have you checked whether the javahttpclient provider has this capability?

@scottslewis
Copy link
Contributor

@laeubi please take a look at this as it likely means further changes to javahttpclient

@laeubi
Copy link
Member

laeubi commented Nov 17, 2023
edited

@scottslewis do you think we should add a

Trace.trace(Activator.PLUGIN_ID, "SPNEGO is not supported, if you can contribute support, please do so.");

to javahttpclient as well ;-)

In general this describes how to do kerberos auth in java http subsystem:

https://docs.oracle.com/en/java/javase/11/security/part-vi-http-spnego-authentication.html#GUID-05B34286-D0B6-4C35-B0BF-C98CD9F7E1D2

Main problem is that I don not have any kerberos proxy ... so the very first thing I think would be to have some kind of testcase so one can work on it.

@scottslewis
Copy link
Contributor

@scottslewis do you think we should add a

Trace.trace(Activator.PLUGIN_ID, "SPNEGO is not supported, if you can contribute support, please do so.");

to javahttpclient as well ;-)

I think it would be more direct to just state that you are not able to do it yourself and so a contribution is likely required (or some other support path is required).

@laeubi
Copy link
Member

laeubi commented Nov 17, 2023

I once implemented kerberos auth and there are some impls out there but right now I have no kerberos infrastructure to use :-\

@scottslewis
Copy link
Contributor

I once implemented kerberos auth and there are some impls out there but right now I have no kerberos infrastructure to use :-\

Hmm...well, that sounds familiar (not having means to test proxy environments in ECF). I hope that someone recognizes the history here and does something more than to point at the community (which is doing quite a lot already IMHO).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@scottslewis @laeubi @christophvw