From 0e7622a9151e2247c95acec366e3f911e80f5764 Mon Sep 17 00:00:00 2001 From: Laurent Goujon Date: Mon, 24 Feb 2014 13:23:00 -0800 Subject: [PATCH] Detects background authentication and force use of jgit authentication Sun HttpURLConnection is able to handle authentication like SPNEGO without caller intervention. However, there are some restrictions: - do not need user direct input (user,password for example) - it doesn't work when request body is chunked/streamed (because it cannot be replayed) Unfortunately there is no real way to leverage HttpURLConnection authentication work as the authentication header is stripped off the request before returning to the caller. There's also no way to explicitly disable authentication in HttpURLConnection (SPNEGO auth will always be attempted if a valid token can be created by GSSAPI). This is an issue for jgit since it is expected that the first request will be used to detect authentication method, and reuse for the subsequent requests. This patch modifies TransportHTTP to detect authentication done in the background by HttpURLConnection and sets the jgit authentication method accordingly so it will always work for future requests (assuming that the authentication method used by HttpURLConnection is also supported by jgit). Bug: 428836 Change-Id: I79f3b70ca2b8377e20da8e6a01914e43e96595ce Signed-off-by: Laurent Goujon Signed-off-by: Chris Aniszczyk --- .../src/org/eclipse/jgit/transport/TransportHttp.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java index 19b3ab6a7..f4471bf83 100644 --- a/org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java +++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java @@ -52,6 +52,7 @@ import static org.eclipse.jgit.util.HttpSupport.HDR_CONTENT_ENCODING; import static org.eclipse.jgit.util.HttpSupport.HDR_CONTENT_TYPE; import static org.eclipse.jgit.util.HttpSupport.HDR_PRAGMA; import static org.eclipse.jgit.util.HttpSupport.HDR_USER_AGENT; +import static org.eclipse.jgit.util.HttpSupport.HDR_WWW_AUTHENTICATE; import static org.eclipse.jgit.util.HttpSupport.METHOD_GET; import static org.eclipse.jgit.util.HttpSupport.METHOD_POST; @@ -474,6 +475,13 @@ public class TransportHttp extends HttpTransport implements WalkTransport, final int status = HttpSupport.response(conn); switch (status) { case HttpConnection.HTTP_OK: + // Check if HttpConnection did some authentication in the + // background (e.g Kerberos/SPNEGO). + // That may not work for streaming requests and jgit + // explicit authentication would be required + if (authMethod == HttpAuthMethod.NONE + && conn.getHeaderField(HDR_WWW_AUTHENTICATE) != null) + authMethod = HttpAuthMethod.scanResponse(conn); return conn; case HttpConnection.HTTP_NOT_FOUND: