[jetty-dev] Missing WWW-Authenticate from SpnegoAuthenticator when other

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-dev] Missing WWW-Authenticate from SpnegoAuthenticator when other Authorization header provided

From: Josh Elser <elserj@xxxxxxxxxx>
Date: Thu, 27 Jul 2017 16:18:07 -0400
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-dev>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:55.0) Gecko/20100101 Thunderbird/55.0

Hi all,

I've been digging into an interesting case I'd like to run by you all.

I have a Jetty application that requires SPNEGO authentication sittingbehind a reverse-proxy that requires HTTP Basic authentication (clientsuse Basic auth to talk to the reverse-proxy and the reverse-proxy usesSPNEGO to talk to the Jetty application). The problem was that thereverse-proxy was failing to authenticate with the Jetty application.

Digging further, I noticed that the reverse-proxy does not strip theHTTP Basic Authorization header sent by the client. When Jetty see thatrequest, it does not send back the expected HTTP/401 with aWWW-Negotiate header. I just seem a plain HTTP/401 that comes fromapplication (as the user was not authenticated).

Looking at the source of SpnegoAuthenticator[1], the negotiate challengewill _only_ be sent when no Authorization headed was sent by the client.This seemed a bit odd to me, so I re-read RFC-4559[2], section 4.1:


<quote>
If the server receives a request for an access-protected object, and
if an acceptable Authorization header has not been sent, the server
responds with a "401 Unauthorized" status code, and a "WWW-
Authenticate: Negotiate" header as per the framework described in [RFC2616].
</quote>

Given the above, my initial interpretation was that if a client providessome Authorization header which is not sufficient for SPNEGOauthentication, SpnegoAuthenticator should sent the challenge request.That is not the case -- SpnegoAuthenticator will only send the challengerequest when _no_ Authorization header is provided.

I wanted to drop a note because I can imagine that there are edge-caseswhich I'm not considering. Thanks in advance!



- Josh

[1]https://github.com/eclipse/jetty.project/blob/0c8273f2ca1f9bf2064cd9c4c939d2546443f759/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SpnegoAuthenticator.java#L76-L94

[2] https://tools.ietf.org/html/rfc4559

Follow-Ups:
- Re: [jetty-dev] Missing WWW-Authenticate from SpnegoAuthenticator when other Authorization header provided
  - From: Joakim Erdfelt

Prev by Date: [jetty-dev] JDK 9 EA Build 178 & JDK 8u152 b05 are available on jdk.java.net
Next by Date: Re: [jetty-dev] Missing WWW-Authenticate from SpnegoAuthenticator when other Authorization header provided
Previous by thread: [jetty-dev] JDK 9 EA Build 178 & JDK 8u152 b05 are available on jdk.java.net
Next by thread: Re: [jetty-dev] Missing WWW-Authenticate from SpnegoAuthenticator when other Authorization header provided
Index(es):
- Date
- Thread

Breadcrumbs