spnego: http handler features #391
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi @jcmturner, do you have any feedback on this? I understand you work on this project in your free time so there's really no hurry. Thanks! |
* Basic auth support * Custom unauthorized response handler * Pass-through unknown auth type
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I needed more flexibility and added some features to the server HTTP handler. There's been issues asking for similar features (#313, #314), I hope you will find this useful too. Compatibility with the current method is maintained.
Basic auth
When the client first connects without any authorization header, we offer both Negotiate and Basic. The browser picks what works.
With basic auth, I get the user and password via the HTTP header. Then I try to login in the realms listed in the config. I think
mod_auth_kerbfor httpd stops here but that only gives us a username. I create a service ticket on behalf of the user so we can get all the ticket attributes in the goidentity context (same as SPNEGO/Negotiate auth).Since I create a new
client.Client, I had to add the config and optional settings.Custom unauthorized handler
I set the unauthorized status code and
www-authenticateheaders then call the specified handler or a default one if it doesn't exist.Pass-through unknown authentication types
If the client provides an authorization type that is not Negotiate or Basic, we pass the request to the next handler. That helps if there's another handler in the chain to handle it (e.g. bearer tokens). This does not affect clients not providing an authorization at all, they will still be presented with Negotiate and Basic if configured.
__
The testing environment has been very useful, thanks!