Bug 60696 - SPNEGO always canonicalizes host names, Option to pick behavior would be welcome
Summary: SPNEGO always canonicalizes host names, Option to pick behavior would be welcome
Status: NEEDINFO
Alias: None
Product: JMeter
Classification: Unclassified
Component: HTTP (show other bugs)
Version: 3.1
Hardware: PC Mac OS X 10.1
: P2 normal (vote)
Target Milestone: ---
Assignee: JMeter issues mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-02-06 20:55 UTC by Zoltan Farkas
Modified: 2017-11-04 16:58 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Zoltan Farkas 2017-02-06 20:55:38 UTC
At:

https://github.com/apache/jmeter/blob/c616f4f84d11812febbf442806b90b02c306fe0c/src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java#L474

SPNegoSchemeFactory is created like:

new SPNegoSchemeFactory(isStripPort(url)));

the scheme factory has an alternate constructor (https://github.com/apache/httpclient/blob/4.5.x/httpclient/src/main/java/org/apache/http/impl/auth/SPNegoSchemeFactory.java#L53) that allows to pick canonicalization behavior for the host name:

   /**
     * @since 4.4
     */
    public SPNegoSchemeFactory(final boolean stripPort, final boolean useCanonicalHostname) {

Unfortunately for certain use cases where we have a load balancer serving multiple names mapped to the same IP address the canonicalization breaks authentication for us by generating a incorrect SPN.

It would be helpful to be able to control this behavior in JMeter either via UI or config.
Comment 1 Michael Osipov 2017-02-07 10:42:50 UTC
For what it is worth, see my tickets for HttpClient in JIRA. This code is severely broken.
Comment 2 Zoltan Farkas 2017-02-07 18:18:23 UTC
Maybe apache HTTP client instead of defaulting to useCanonicalHostname = true should default to whatever is configured in krb5.conf [libdefaults] canonicalize = ?

http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html
Comment 3 Philippe Mouawad 2017-02-07 21:54:55 UTC
(In reply to Michael Osipov from comment #1)
> For what it is worth, see my tickets for HttpClient in JIRA. This code is
> severely broken.

Hi,
Which one ?
Thanks
Comment 4 Philippe Mouawad 2017-11-04 16:58:33 UTC
(In reply to Philippe Mouawad from comment #3)
> (In reply to Michael Osipov from comment #1)
> > For what it is worth, see my tickets for HttpClient in JIRA. This code is
> > severely broken.
> 
> Hi,
> Which one ?
> Thanks

I suppose those are the tickets:
https://issues.apache.org/jira/browse/HTTPCLIENT-1625
https://issues.apache.org/jira/browse/HTTPCLIENT-1570