HTTPCLIENT-1625 Completely overhaul GSS-API-based authentication backend #577
Conversation
stoty
force-pushed
the
HTTPCLIENT-1625
branch
2 times, most recently
from
01354e2
to
cf04092
Compare
httpclient5/src/main/java/org/apache/hc/client5/http/auth/AuthScheme.java
Outdated
Show resolved
Hide resolved
httpclient5/src/main/java/org/apache/hc/client5/http/auth/AuthSchemeV2.java
Outdated
Show resolved
Hide resolved
| private final Option stripPort; | ||
| private final Option useCanonicalHostname; | ||
| private final Option requestDelegCreds; | ||
| private final Option stripPort; //Effective default is ENABLE |
There was a problem hiding this comment.
I would invert this. For the past 15 years, I haven't seen a single deployment using the port with HTTP service class, especially because that major clients do not even support this.
There was a problem hiding this comment.
That's certainly possible, but that would introduce an incompatibility with the 5.2 behaviour.
| private final Option stripPort; //Effective default is ENABLE | ||
| private final Option useCanonicalHostname; //Effective default is ENABLE | ||
| private final Option requestDelegCreds; //Effective default is DISABLE | ||
| private final Option requestMutualAuth; //Effective default is DISABLE |
There was a problem hiding this comment.
I would like to see a usecase why this should not be on by default without an option at all.
There was a problem hiding this comment.
All I can came up with is:
- GSS does not default to mutual auth
- Backwards compatibility
I would at least leave an option to disable this, so that there is an out for very broken cases.
Of course there is also a case for forcing users to clean up their potentially broken setup.
There was a problem hiding this comment.
I have looked at this, and the current API is really built around using the gss library default settings.
Since we are making incompatible changes anyway, if we want to set non-default gss options by default, (and keep them configurable), then we should remove the default options, and use simple booleans with explicit true/false defaults.
httpclient5/src/main/java/org/apache/hc/client5/http/auth/StandardAuthScheme.java
Show resolved
Hide resolved
| throw new AuthenticationException(gsse.getMessage(), gsse); | ||
| } | ||
| // other error | ||
| throw new AuthenticationException(gsse.getMessage(), gsse); |
There was a problem hiding this comment.
Won't those duplicate the message?
There was a problem hiding this comment.
Not really.
But the Auth. execption would have the same message as the cause.
We can write some new message for the Auth. exception, I just really hate when a library swallows the original exception instead of wrapping it.
httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/GGSSchemeBase.java
Outdated
Show resolved
Hide resolved
httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/GGSSchemeBase.java
Outdated
Show resolved
Hide resolved
| */ | ||
| @Deprecated |
| */ | ||
| @Deprecated | ||
| @Experimental | ||
| public class SPNegoScheme extends GGSSchemeBase { |
There was a problem hiding this comment.
Should also go in favor of SpnegoScheme
|
Thanks for the initial review @michael-o . Regarding the renames and changing the defaults, I have specifically tried to touch as little as possible because much of the GSS/Kerberos code was not removed from codebase when disabling SPNEGO, which I assumed was for brackwards compatibility reasons. I'm fine with your proposed changes, but those may theoretically cause issues with pre-5.3 apps, and will cause the api compare plugin to go wild. |
Will engage next week again. |
|
I believe I have addressed your comments which do not change the API. |
|
Can you take another look at the current patch @michael-o ? |
Will pick end of this week or next week. |
stoty
force-pushed
the
HTTPCLIENT-1625
branch
from
99bb75c
to
de8dd8d
Compare
|
Rebased to current master |
|
@ok2c @stoty I gave this another conceptual thought: We said that we are going to remove the current code for good, but this PR reuses it and makes it partially undeprecated. For me, this is not straight forward. My gut feeling says that we should remove completely first and the @stoty can readd the code he thinks is required to satisfy this PR. WDYT? |
|
@michael-o We cannot remove old implementation unless we are willing to go to the major release cycle and release these changes as 6.0. I suggest that the old classes are left deprecated as there might still be users that rely on them and new implementation is added in parallel (with different names or in a different package). |
I see, than we need new packages names. Agreed. |
stoty
force-pushed
the
HTTPCLIENT-1625
branch
from
de8dd8d
to
5b5564b
Compare
|
I have reverted the removals. I don't see what alternative package name we could use instead of "org.apache.hc.client5.http.auth" Maybe I could prefix the new classes with "Mutual" ? The other classes are strictly backwards compatible, like KerberosCredentials, and KerberosConfig. |
I'll get back to this question this week, have some serious trouble at $work I need to solve first. |
|
I don't think that removing deprecation is problem, especially as these classes were deprecated without providing a replacement, not because they were replaced by something. |
@stoty Un-deprecate those classes that can be kept fully backward compatible and create new classes for those that cannot |
No description provided.