Improve SpnegoEngine to allow more login configuration options #1582
Conversation
…async http client.
…just a couple of them.
add a map of spnego engines so you can support more than one spnego login confg per jvm
nddipiazza
changed the title
|
@slandelle just wondering if you have a moment to check this out. |
|
@nddipiazza Do you have any idea how this could be tested? |
|
Hi @slandelle. The Apache CXF project has an example of a JUnit Kerberos ticket server that we could pull into the unit testing code. We could pull that in. it'd be a lot of work. otherwise docker can do it. |
|
perhaps a junit docker integration test like |
|
Oh even better, I noticed this test module in apache cxf: https://github.com/apache/cxf/tree/master/systests/kerberos It uses apache directory to create a real KDC and uses it accordingly. that would be very nice because no docker dependency |
|
Hi @nddipiazza |
* Login context name * Username/password auth option
|
@slandelle ready for review |
nddipiazza
changed the title
nddipiazza
changed the title
|
Thanks a lot, looks great! |
|
Thanks! |
…HttpClient#1582) * add the ability to pass in a {principal name, keytab} combination to async http client. * fix issue where spnego principal/keytab was no longer optional * specify the login config as a map to allow all the values custom not just a couple of them. * remove the principal/password assertion on not null add a map of spnego engines so you can support more than one spnego login confg per jvm * no need to detect null on loginContext * add a SpnegoEngine unit test. * Delete kerberos.jaas * Update pom.xml * Provide more granularity to be more aligned with other http clients: * Login context name * Username/password auth option * remove useless comment * add login context name and username into the instance key * cxf.kerby.version -> kerby.version # Conflicts: # pom.xml
SpnegoEngine improvements
Summary
The current spnego implementation locks you into using a single kerberos login configuration, and the SpnegoEngine has no unit test coverage.
This fixes those things.
SpnegoEngineTestthat uses apache kerby to testSpnegoEngine.SpnegoEngine.HTTP@spns.new Realm.Builder(). It's optional for spnego, so we should not be asserting that it's not null.New parameters to the
SpnegoEngine(parameters added to Realm/DSL where needed)servicePrincipalName- new param* - to allow user to specify their own SPN.useCanonicalHostname-new param* - whether or not to obtain the canonical hostname or just use the raw host.customLoginConfig- new param* - allow to specify your own login configuration as map<string, string>loginContextName- new param* - allow to choose a specific login configuration from the login confrealmName- send existing realm name to spnego engine to allow users to customize the@realmNameappended to the SPN.usernameandpassword- send existing principal and password to the spnego engine to allow username/password kerberos auth as well.