-
Notifications
You must be signed in to change notification settings - Fork 936
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTPCLIENT-1625 Completely overhaul GSS-API-based authentication backend #577
base: master
Are you sure you want to change the base?
Conversation
01354e2
to
cf04092
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First, incomplete review.
httpclient5/src/main/java/org/apache/hc/client5/http/auth/AuthScheme.java
Outdated
Show resolved
Hide resolved
httpclient5/src/main/java/org/apache/hc/client5/http/auth/AuthSchemeV2.java
Outdated
Show resolved
Hide resolved
private final Option stripPort; | ||
private final Option useCanonicalHostname; | ||
private final Option requestDelegCreds; | ||
private final Option stripPort; //Effective default is ENABLE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would invert this. For the past 15 years, I haven't seen a single deployment using the port with HTTP
service class, especially because that major clients do not even support this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's certainly possible, but that would introduce an incompatibility with the 5.2 behaviour.
private final Option stripPort; //Effective default is ENABLE | ||
private final Option useCanonicalHostname; //Effective default is ENABLE | ||
private final Option requestDelegCreds; //Effective default is DISABLE | ||
private final Option requestMutualAuth; //Effective default is DISABLE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to see a usecase why this should not be on by default without an option at all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All I can came up with is:
- GSS does not default to mutual auth
- Backwards compatibility
I would at least leave an option to disable this, so that there is an out for very broken cases.
Of course there is also a case for forcing users to clean up their potentially broken setup.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have looked at this, and the current API is really built around using the gss library default settings.
Since we are making incompatible changes anyway, if we want to set non-default gss options by default, (and keep them configurable), then we should remove the default options, and use simple booleans with explicit true/false defaults.
httpclient5/src/main/java/org/apache/hc/client5/http/auth/StandardAuthScheme.java
Show resolved
Hide resolved
throw new AuthenticationException(gsse.getMessage(), gsse); | ||
} | ||
// other error | ||
throw new AuthenticationException(gsse.getMessage(), gsse); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Won't those duplicate the message?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really.
But the Auth. execption would have the same message as the cause.
We can write some new message for the Auth. exception, I just really hate when a library swallows the original exception instead of wrapping it.
httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/GGSSchemeBase.java
Outdated
Show resolved
Hide resolved
httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/GGSSchemeBase.java
Outdated
Show resolved
Hide resolved
*/ | ||
@Deprecated |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will go
*/ | ||
@Deprecated | ||
@Experimental | ||
public class SPNegoScheme extends GGSSchemeBase { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should also go in favor of SpnegoScheme
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK
Thanks for the initial review @michael-o . Regarding the renames and changing the defaults, I have specifically tried to touch as little as possible because much of the GSS/Kerberos code was not removed from codebase when disabling SPNEGO, which I assumed was for brackwards compatibility reasons. I'm fine with your proposed changes, but those may theoretically cause issues with pre-5.3 apps, and will cause the api compare plugin to go wild. |
Will engage next week again. |
I believe I have addressed your comments which do not change the API. |
Can you take another look at the current patch @michael-o ? |
Will pick end of this week or next week. |
99bb75c
to
de8dd8d
Compare
Rebased to current master |
@ok2c @stoty I gave this another conceptual thought: We said that we are going to remove the current code for good, but this PR reuses it and makes it partially undeprecated. For me, this is not straight forward. My gut feeling says that we should remove completely first and the @stoty can readd the code he thinks is required to satisfy this PR. WDYT? |
@michael-o We cannot remove old implementation unless we are willing to go to the major release cycle and release these changes as 6.0. I suggest that the old classes are left deprecated as there might still be users that rely on them and new implementation is added in parallel (with different names or in a different package). |
I see, than we need new packages names. Agreed. |
de8dd8d
to
5b5564b
Compare
I have reverted the removals. I don't see what alternative package name we could use instead of "org.apache.hc.client5.http.auth" Maybe I could prefix the new classes with "Mutual" ? The other classes are strictly backwards compatible, like KerberosCredentials, and KerberosConfig. |
I'll get back to this question this week, have some serious trouble at $work I need to solve first. |
I don't think that removing deprecation is problem, especially as these classes were deprecated without providing a replacement, not because they were replaced by something. |
@stoty Un-deprecate those classes that can be kept fully backward compatible and create new classes for those that cannot |
No description provided.