making the proxy work with kerberos (grizzly provider)

Author: vedil

api/src/main/java/com/ning/http/client/ProxyServer.java

@@ -53,15 +53,15 @@ public String toString() {
     private int port;
     private String ntlmDomain = System.getProperty("http.auth.ntlm.domain", "");
 
-    private boolean isBasic = true;
+    /*private boolean isBasic = true;
     
     public boolean isBasic() {
 		return isBasic;
 	}
 
 	public void setBasic(boolean isBasic) {
 		this.isBasic = isBasic;
-	}
+	}*/
 
 	public ProxyServer(final Protocol protocol, final String host, final int port, String principal, String password) {
         this.protocol = protocol;

providers/grizzly/src/main/java/com/ning/http/client/providers/grizzly/GSSSPNEGOWrapper.java

@@ -0,0 +1,49 @@
+package com.ning.http.client.providers.grizzly;
+
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+
+import com.ning.http.util.Base64;
+
+public class GSSSPNEGOWrapper {
+
+	private static final String KERBEROS_OID = "1.2.840.113554.1.2.2";
+	
+	static GSSManager getManager() {
+        return GSSManager.getInstance();
+    }
+	
+	static  byte[] generateGSSToken(
+            final byte[] input, final Oid oid, final String authServer) throws GSSException {
+        byte[] token = input;
+        if (token == null) {
+            token = new byte[0];
+        }
+        GSSManager manager = getManager();
+        GSSName serverName = manager.createName("HTTP@" + authServer, GSSName.NT_HOSTBASED_SERVICE);
+        GSSContext gssContext = manager.createContext(
+                serverName.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME);
+        gssContext.requestMutualAuth(true);
+        gssContext.requestCredDeleg(true);
+        return gssContext.initSecContext(token, 0, token.length);
+    }
+	
+	public  static String generateToken(String authServer)
+	{
+		String  returnVal = "";
+		Oid oid;
+		try {
+			oid = new Oid(KERBEROS_OID);
+			byte[] token = GSSSPNEGOWrapper.generateGSSToken(null, oid, authServer);
+			returnVal = new String(Base64.encode(token));
+		} catch (GSSException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+		
+		return returnVal;
+	}
+}

providers/grizzly/src/main/java/com/ning/http/client/providers/grizzly/GrizzlyAsyncHttpProvider.java

@@ -168,7 +168,6 @@ public class GrizzlyAsyncHttpProvider implements AsyncHttpProvider {
 
     private final static NTLMEngine ntlmEngine = new NTLMEngine();
 
-
     // ------------------------------------------------------------ Constructors
 
 
@@ -916,12 +915,16 @@ private boolean sendAsGrizzlyRequest(final Request request,
                         requestPacket.setHeader(Header.ProxyConnection, "keep-alive");
                     }
 
-                    if(proxy.getNtlmDomain() != null && proxy.getNtlmDomain().length() > 0)
+                    if(null == requestPacket.getHeader(Header.ProxyAuthorization) )
+                    {
+                    	requestPacket.setHeader(Header.ProxyAuthorization, AuthenticatorUtils.computeBasicAuthentication(proxy));
+                    }
+                    /*if(proxy.getNtlmDomain() != null && proxy.getNtlmDomain().length() > 0)
                     {
                     	LOGGER.debug("probably ntlm.. not adding header..");
                     }else if (proxy.getPrincipal() != null && proxy.isBasic()) {
                     	requestPacket.setHeader(Header.ProxyAuthorization, AuthenticatorUtils.computeBasicAuthentication(proxy));
-                    }
+                    }*/
 
                 }
             }
@@ -1393,7 +1396,7 @@ protected boolean onHttpPacketParsed(HttpHeader httpHeader, FilterChainContext c
             final String proxy_auth = httpHeader.getHeader(Header.ProxyAuthenticate);
 
             if (httpHeader.isSkipRemainder() ) {
-            	if(!ProxyAuthorizationHandler.isSecondHandShake(proxy_auth))
+            	if(!ProxyAuthorizationHandler.isNTLMSecondHandShake(proxy_auth))
             	{
 	                clearResponse(ctx.getConnection());
 	                cleanup(ctx, provider);
@@ -1653,7 +1656,7 @@ public boolean handleStatus(final HttpResponsePacket responsePacket,
                     String msg = null;
 					try {
 
-						if(isFirstHandShake(proxy_auth))
+						if(isNTLMFirstHandShake(proxy_auth))
 						{
 							msg = ntlmEngine.generateType1Msg(proxyServer.getNtlmDomain(), "");
 						}else {
@@ -1665,21 +1668,46 @@ public boolean handleStatus(final HttpResponsePacket responsePacket,
 					} catch (Exception e1) {
 						e1.printStackTrace();
 					}
-                }  else {
+                }   else if (proxy_auth.toLowerCase().startsWith("negotiate")){
+                	//this is for kerberos
+                	req.getHeaders().remove(Header.ProxyAuthenticate.toString());
+                    req.getHeaders().remove(Header.ProxyAuthorization.toString());
+                	
+                }else {
                     throw new IllegalStateException("Unsupported authorization method: " + proxy_auth);
                 }
 
                 final ConnectionManager m = httpTransactionContext.provider.connectionManager;
                 InvocationStatus tempInvocationStatus = InvocationStatus.STOP;
 
                 try {
-                    if(isFirstHandShake(proxy_auth))
+                	
+                    if(isNTLMFirstHandShake(proxy_auth))
                     {
                     	tempInvocationStatus = InvocationStatus.CONTINUE;
 
                     }
 
-                    if(isSecondHandShake(proxy_auth))
+                    if(proxy_auth.toLowerCase().startsWith("negotiate"))
+                    {
+                    	final Connection c = m.obtainConnection(req, httpTransactionContext.future);
+                        final HttpTransactionContext newContext = httpTransactionContext.copy();
+                        httpTransactionContext.future = null;
+                        httpTransactionContext.provider.setHttpTransactionContext(c, newContext);
+                        
+                        newContext.invocationStatus = tempInvocationStatus;
+                        
+                        String challengeHeader = null;
+                        String server = proxyServer.getHost();
+                        
+                        challengeHeader = GSSSPNEGOWrapper.generateToken(server);
+
+                        req.getHeaders().add(Header.ProxyAuthorization.toString(), "Negotiate " + challengeHeader);
+                        
+                        
+	                    return exceuteRequest(httpTransactionContext, req, c,
+								newContext);
+                    }else if(isNTLMSecondHandShake(proxy_auth))
                     {
                     	final Connection c = ctx.getConnection();
                         final HttpTransactionContext newContext = httpTransactionContext.copy(); //httpTransactionContext.copy();
@@ -1690,17 +1718,8 @@ public boolean handleStatus(final HttpResponsePacket responsePacket,
                         newContext.invocationStatus = tempInvocationStatus;
                         httpTransactionContext.establishingTunnel = true;
 
-                    	try {
-	                        httpTransactionContext.provider.execute(c,
-	                                                                req,
-	                                                                httpTransactionContext.handler,
-	                                                                httpTransactionContext.future);
-	                        return false;
-	                    } catch (IOException ioe) {
-	                    	ioe.printStackTrace();
-	                        newContext.abort(ioe);
-	                        return false;
-	                    }
+                    	return exceuteRequest(httpTransactionContext, req, c,
+								newContext);
 
                     }
                     else{
@@ -1711,28 +1730,39 @@ public boolean handleStatus(final HttpResponsePacket responsePacket,
 
                         newContext.invocationStatus = tempInvocationStatus;
 
-	                    try {
-	                        httpTransactionContext.provider.execute(c,
-	                                                                req,
-	                                                                httpTransactionContext.handler,
-	                                                                httpTransactionContext.future);
-	                        return false;
-	                    } catch (IOException ioe) {
-	                        newContext.abort(ioe);
-	                        return false;
-	                    }
+	                    return exceuteRequest(httpTransactionContext, req, c,
+								newContext);
                     }
                 } catch (Exception e) {
                     httpTransactionContext.abort(e);
-                }
+                } catch (Throwable e) {
+					e.printStackTrace();
+					httpTransactionContext.abort(e);
+				}
                 httpTransactionContext.invocationStatus = tempInvocationStatus;
                 return false;
             }
 
-			public static boolean isSecondHandShake(final String proxy_auth) {
+			private boolean exceuteRequest(
+					final HttpTransactionContext httpTransactionContext,
+					final Request req, final Connection c,
+					final HttpTransactionContext newContext) {
+				try {
+				    httpTransactionContext.provider.execute(c,
+				                                            req,
+				                                            httpTransactionContext.handler,
+				                                            httpTransactionContext.future);
+				    return false;
+				} catch (IOException ioe) {
+				    newContext.abort(ioe);
+				    return false;
+				}
+			}
+
+			public static boolean isNTLMSecondHandShake(final String proxy_auth) {
 				return (proxy_auth.toLowerCase().startsWith("ntlm") && !proxy_auth.equalsIgnoreCase("ntlm"));
 			}
-			public static boolean isFirstHandShake(final String proxy_auth) {
+			public static boolean isNTLMFirstHandShake(final String proxy_auth) {
 				return (proxy_auth.equalsIgnoreCase("ntlm"));
 			}