[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jgit-dev] SPNEGO authentication for jgit




On Tue, Feb 25, 2014 at 2:11 AM, Halstrick, Christian <christian.halstrick@xxxxxxx> wrote:

Hi Laurent,

 

have you seen my changes to teach jgit to use org.apache httpclient instead of jdk’s HttpURLConnection [1][2]? JGit will then not use jdks HttpURLConnection at all and uses apaches classes
which support SPNEGO. I am not sure whether this will help but I can imagine that it will at least change the situation a lot. I could imagine that your changes are still needed also when we
use HttpClient … but I think you should test this. In the best case you would even not need your changes but simply switch to usage of HttpClient.  My guess would be that we still need your changes
also when we use httpclient. JDKs HttpURLConnection and Apaches HttpClient both support SPNEGO so the difference shouldn’t be big.
 
Hi Christian,

Yes, I saw your changes and tested them. That's actually what triggered me to work on SPNEGO :)

From my tests, Apache HC doesn't support out of the box SPNEGO: you need to register a auth module like suggested by [1] and probably some other stuff (I tried to reuse the example as-is with no success). And it probably as the same issue as JDK HttpUrlConnection: not being able to handle authentication for streamed requests.
But on the bright side, it works as-is with my changes. The only difference I noticed is a prompt for user/password when creating the security token for the first time (I suspect that Sun has some methods to avoid this), but pressing enter (without entering informations) is enough to complete authentication and clone a repository for example.

Is there any chance that we get tests for this? We do have unit tests where we start our own jetty based git server inside the test and check that the user gets authenticated using
BASIC authentication [3]. Is there any chance to get such a test for SPNEGO?
I would love to provide tests, but I'm not sure if it is doable (I haven't found an easy way for now). SPNEGO is using  jGSS which is using the system libraries for security/authentication. I'm looking for a way to mock/inject my own code in the process, but haven't seen an API yet to do so...
 
Ciao
  Chris
 
[1] https://git.eclipse.org/r/#/c/22091
[2] https://git.eclipse.org/r/#/c/22090
[3] https://raw.github.com/eclipse/jgit/master/org.eclipse.jgit.http.test/tst/org/eclipse/jgit/http/test/HttpClientTests.java

 

From: jgit-dev-bounces@xxxxxxxxxxx [mailto:jgit-dev-bounces@xxxxxxxxxxx] On Behalf Of Laurent Goujon
Sent: Dienstag, 25. Februar 2014 04:37
To: jgit-dev@xxxxxxxxxxx
Subject: [jgit-dev] SPNEGO authentication for jgit

 

Hi,

My company is using SPNEGO/Kerberos for git authentication, and it seems it doesn't work well with jgit.

I open bug 428836 [1] to track this issue, and I also tried to fix it by myself. So far, I submitted 4 patches to Gerrit to implement the feature.

- https://git.eclipse.org/r/22486
- https://git.eclipse.org/r/22487
- https://git.eclipse.org/r/22488
- https://git.eclipse.org/r/22489

It would be great if some people could review them, and provides feedback. Patches have been submitted to Hudson, but builds aborted before the end.

Thanks in advance,

Laurent