Apache HttpComponents HttpClient 5.0 - Kerberos SPNEGO client

Question

I'm trying to port my HttpClient 4.x code to 5.x

Lookup<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder.<AuthSchemeProvider>create()
            .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true)).build();

But in 5.x there is no AuthSchemeProvider anymore, and the SPNegoSchemeFactory has a different constructor :-/

Answer 1

Finally, I got kerberos working with httpclient5. I did the configuration like follows:

    String sHost = "xy.contoso.test";

    System.setProperty("java.security.krb5.conf","<path>\\krb5.ini");
    System.setProperty("java.security.krb5.realm","CONTOSO.TEST");
    System.setProperty("java.security.krb5.kdc","contoso.test");
    System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
    System.setProperty("java.security.auth.login.config","<path>\\jaas.conf");

    name = manager.createName("user@CONTOSO.TEST", GSSName.NT_USER_NAME);

    HttpHost target = new HttpHost("https", sHost, 443);
    GSSCredential gssCred = manager.createCredential(name,GSSCredential.DEFAULT_LIFETIME, (Oid) null, GSSCredential.INITIATE_AND_ACCEPT);
    KerberosCredentials kerbCred = new KerberosCredentials(gssCred);
    AuthScope any = new AuthScope(target);
    BasicCredentialsProvider credProv = new BasicCredentialsProvider();
    credProv.setCredentials(any, kerbCred);

        PoolingHttpClientConnectionManager connectionManager = PoolingHttpClientConnectionManagerBuilder.create()
                .setSSLSocketFactory(SSLConnectionSocketFactoryBuilder.create()
                        .setSslContext(SSLContextBuilder.create()
                                .loadTrustMaterial(TrustAllStrategy.INSTANCE)
                                .build())
                        .setHostnameVerifier(NoopHostnameVerifier.INSTANCE)
                        .build())
                .build();

        final Registry<AuthSchemeFactory> schemeFactoryRegistry = RegistryBuilder.<AuthSchemeFactory> create()
                .register(StandardAuthScheme.NTLM, NTLMSchemeFactory.INSTANCE)
                .register(StandardAuthScheme.SPNEGO, new SPNegoSchemeFactory(
                        KerberosConfig.custom()
                                .setStripPort(KerberosConfig.Option.ENABLE)
                        .setUseCanonicalHostname(KerberosConfig.Option.DISABLE)
                        .build(),
                        SystemDefaultDnsResolver.INSTANCE))
                .register(StandardAuthScheme.KERBEROS, KerberosSchemeFactory.DEFAULT)
                .build();

        CloseableHttpClient cl = HttpClientBuilder.create()
                .setDefaultCredentialsProvider(credProv)
                .setConnectionManager(connectionManager)
                .setDefaultAuthSchemeRegistry(schemeFactoryRegistry)
                .build();

If someone can find an easier snippet, please share :) This should be a working example as long as the config files and parameters are set correctly. If the certificate is trusted, the hostname verifier and trust-strategy can be activated / adjusted. In my case, disabling useCanonicalHostname was important.

Answer 2

What is wrong with something like that?

final Registry<AuthSchemeFactory> schemeFactoryRegistry = RegistryBuilder.<AuthSchemeFactory>create()
        .register(StandardAuthScheme.BASIC, BasicSchemeFactory.INSTANCE)
        .register(StandardAuthScheme.DIGEST, DigestSchemeFactory.INSTANCE)
        .register(StandardAuthScheme.NTLM, NTLMSchemeFactory.INSTANCE)
        .register(StandardAuthScheme.SPNEGO, new SPNegoSchemeFactory(
                KerberosConfig.custom()
                        .setStripPort(KerberosConfig.Option.DEFAULT)
                        .setUseCanonicalHostname(KerberosConfig.Option.DEFAULT)
                        .build(),
                SystemDefaultDnsResolver.INSTANCE))
        .register(StandardAuthScheme.KERBEROS, KerberosSchemeFactory.DEFAULT)
        .build();