httpclient5-testing/src/test/java/org/apache/hc/client5/testing/sync/TestWindowsNegotiateScheme.java - httpcomponents-client - Git at Google

 /*
  * ====================================================================
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  * ====================================================================
  *
  * This software consists of voluntary contributions made by many
  * individuals on behalf of the Apache Software Foundation.  For more
  * information on the Apache Software Foundation, please see
  * <http://www.apache.org/>.
  *
  */
 package org.apache.hc.client5.testing.sync;

 import org.apache.hc.client5.http.auth.AuthSchemeFactory;
 import org.apache.hc.client5.http.auth.StandardAuthScheme;
 import org.apache.hc.client5.http.classic.methods.HttpGet;
 import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
 import org.apache.hc.client5.http.impl.classic.CloseableHttpResponse;
 import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
 import org.apache.hc.client5.http.impl.win.WinHttpClients;
 import org.apache.hc.client5.http.impl.win.WindowsNegotiateSchemeGetTokenFail;
 import org.apache.hc.core5.http.HttpHeaders;
 import org.apache.hc.core5.http.HttpHost;
 import org.apache.hc.core5.http.HttpStatus;
 import org.apache.hc.core5.http.config.Registry;
 import org.apache.hc.core5.http.config.RegistryBuilder;
 import org.apache.hc.core5.http.io.entity.EntityUtils;
 import org.junit.Assume;
 import org.junit.Test;

 /**
  * Unit tests for Windows negotiate authentication.
  */
 public class TestWindowsNegotiateScheme extends LocalServerTestBase {

     @Test(timeout=30000) // this timeout (in ms) needs to be extended if you're actively debugging the code
     public void testNoInfiniteLoopOnSPNOutsideDomain() throws Exception {
         this.server.registerHandler("/", (request, response, context) -> {
             response.addHeader(HttpHeaders.WWW_AUTHENTICATE, StandardAuthScheme.SPNEGO);
             response.setCode(HttpStatus.SC_UNAUTHORIZED);
         });
         Assume.assumeTrue("Test can only be run on Windows", WinHttpClients.isWinAuthAvailable());

         // HTTPCLIENT-1545
         // If a service principal name (SPN) from outside your Windows domain tree (e.g., HTTP/example.com) is used,
         // InitializeSecurityContext will return SEC_E_DOWNGRADE_DETECTED (decimal: -2146892976, hex: 0x80090350).
         // Because WindowsNegotiateScheme wasn't setting the completed state correctly when authentication fails,
         // HttpClient goes into an infinite loop, constantly retrying the negotiate authentication to kingdom
         // come. This error message, "The system detected a possible attempt to compromise security. Please ensure that
         // you can contact the server that authenticated you." is associated with SEC_E_DOWNGRADE_DETECTED.

         final Registry<AuthSchemeFactory> authSchemeRegistry = RegistryBuilder.<AuthSchemeFactory>create()
             .register(StandardAuthScheme.SPNEGO, context -> new WindowsNegotiateSchemeGetTokenFail(StandardAuthScheme.SPNEGO, "HTTP/example.com")).build();
         final CloseableHttpClient customClient = HttpClientBuilder.create()
                 .setDefaultAuthSchemeRegistry(authSchemeRegistry).build();

         final HttpHost target = start();
         final HttpGet httpGet = new HttpGet("/");
         try (final CloseableHttpResponse response = customClient.execute(target, httpGet)) {
             EntityUtils.consume(response.getEntity());
         }
     }

 }
	/*
	* ====================================================================
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	* ====================================================================
	*
	* This software consists of voluntary contributions made by many
	* individuals on behalf of the Apache Software Foundation. For more
	* information on the Apache Software Foundation, please see
	* <http://www.apache.org/>.
	*
	*/
	package org.apache.hc.client5.testing.sync;

	import org.apache.hc.client5.http.auth.AuthSchemeFactory;
	import org.apache.hc.client5.http.auth.StandardAuthScheme;
	import org.apache.hc.client5.http.classic.methods.HttpGet;
	import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
	import org.apache.hc.client5.http.impl.classic.CloseableHttpResponse;
	import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
	import org.apache.hc.client5.http.impl.win.WinHttpClients;
	import org.apache.hc.client5.http.impl.win.WindowsNegotiateSchemeGetTokenFail;
	import org.apache.hc.core5.http.HttpHeaders;
	import org.apache.hc.core5.http.HttpHost;
	import org.apache.hc.core5.http.HttpStatus;
	import org.apache.hc.core5.http.config.Registry;
	import org.apache.hc.core5.http.config.RegistryBuilder;
	import org.apache.hc.core5.http.io.entity.EntityUtils;
	import org.junit.Assume;
	import org.junit.Test;

	/**
	* Unit tests for Windows negotiate authentication.
	*/
	public class TestWindowsNegotiateScheme extends LocalServerTestBase {

	@Test(timeout=30000) // this timeout (in ms) needs to be extended if you're actively debugging the code
	public void testNoInfiniteLoopOnSPNOutsideDomain() throws Exception {
	this.server.registerHandler("/", (request, response, context) -> {
	response.addHeader(HttpHeaders.WWW_AUTHENTICATE, StandardAuthScheme.SPNEGO);
	response.setCode(HttpStatus.SC_UNAUTHORIZED);
	});
	Assume.assumeTrue("Test can only be run on Windows", WinHttpClients.isWinAuthAvailable());

	// HTTPCLIENT-1545
	// If a service principal name (SPN) from outside your Windows domain tree (e.g., HTTP/example.com) is used,
	// InitializeSecurityContext will return SEC_E_DOWNGRADE_DETECTED (decimal: -2146892976, hex: 0x80090350).
	// Because WindowsNegotiateScheme wasn't setting the completed state correctly when authentication fails,
	// HttpClient goes into an infinite loop, constantly retrying the negotiate authentication to kingdom
	// come. This error message, "The system detected a possible attempt to compromise security. Please ensure that
	// you can contact the server that authenticated you." is associated with SEC_E_DOWNGRADE_DETECTED.

	final Registry<AuthSchemeFactory> authSchemeRegistry = RegistryBuilder.<AuthSchemeFactory>create()
	.register(StandardAuthScheme.SPNEGO, context -> new WindowsNegotiateSchemeGetTokenFail(StandardAuthScheme.SPNEGO, "HTTP/example.com")).build();
	final CloseableHttpClient customClient = HttpClientBuilder.create()
	.setDefaultAuthSchemeRegistry(authSchemeRegistry).build();

	final HttpHost target = start();
	final HttpGet httpGet = new HttpGet("/");
	try (final CloseableHttpResponse response = customClient.execute(target, httpGet)) {
	EntityUtils.consume(response.getEntity());
	}
	}

	}