Negotiate authentication for HTTP

Mon Jul 12 11:59:47 BST 2004

Great, thanks!

>  This patch 
> works fine with apache and mod_auth_kerb-5.0-rc5 and heimdal on the server
> side. I tested it on a SuSE 9.0 system with KDE 3.2.3 but the diff is
> against KDE CVS from yesterday (there aren't many changes in this area
> between 3.2.3 and CVS). I don't know whether I got the autoconf magic
> right, I'm not an expert on that. Also, this implementation will most
> likely NOT work with IIS and SPNEGO and it doesn't support mutual
> authentication as it does not support multiple roundtrips between client
> and server. I have no way of testing against IIS so I can't work on this.
> But if you're using apache and mod_auth_kerb-5.0 it should work fine. It
> also supports multiple
> WWW-Authenticate headers, for instance "Negotiate" and "Basic" (this is
> what our server sends). If "Negotiate" repeatedly fails it falls back to
> the next lower authentication (in our case "Basic"). This is the behavior
> we want at our site. All the changes in http.cc and http.h are ifdef'd with
> HAVE_LIBGSSAPI so it should be transparent if this is not defined.

In HTTPProtocol::configAuth you add stuff like:
  if ( !b && PrevAuthentication < AUTH_Digest )

why is that needed? Because later on there is this test already:

 if ( f == AUTH_None ||
       (b && m_iProxyAuthCount > 0 && f < ProxyAuthentication) ||
       (!b && m_iWWWAuthCount > 0 && f < Authentication) )

You also #ifdef-out the following lines when HAVE_LIBGSSAPI is found:
     else
       m_iWWWAuthCount++;
     return;

Why is that?

Cheers,
Waldo
- -- 
bastian at kde.org  |   KDE Community World Summit 2004  |  bastian at suse.com
bastian at kde.org  | 21-29 August, Ludwigsburg, Germany |  bastian at suse.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFA8m8jN4pvrENfboIRAlUdAJ9TgBL2I8MEoAKx3wsq9AdyrOMVKACeLXbO
gSV+1YdMmSvr4I2+CRxqAlE=
=+J+h
-----END PGP SIGNATURE-----