summaryrefslogtreecommitdiff
path: root/NEWS
diff options
context:
space:
mode:
authorGuido Guenther <agx@sigxcpu.org>2016-03-02 15:20:16 +0100
committerTomas Popela <tpopela@redhat.com>2016-03-14 15:04:35 +0100
commit6a8826f0d25459c943719b88f22619f22b81c547 (patch)
treefa00e8597a05356e07a8978fe01ec4fc921769d3 /NEWS
parent595a20a0e574923a26079ab40713d9a32d09f888 (diff)
downloadlibsoup-6a8826f0d25459c943719b88f22619f22b81c547.tar.gz
Bug 587145 - Add GSS-Negotiate support
If a "WWW-Authenticate: Negotiate" HTTP header is spotted libsoup will check if the host is on blacklist and the authentication fails if so. Otherwise the host is compared against a trusted URIs (if the trusted URIs list is not set all the HTTPS requests are trusted by default) and then processed. The trusted URIs list and blacklist are both created when a SoupNegotiateAuth is created. The trusted URIs list (blacklist) is parsed from the SOUP_GSSAPI_TRUSTED_URIS ( SOUP_GSSAPI_BLACKLIST_URIS) environment variable that expects the URIs be comma separated (e.g. "http://www.example.com,https://www.test.com:80"). Then the request is processed by the GSS library (the SPNEGO mechanism is used) which produces a token that is send back to the server in the next request. The reply is then again processed by the GSS library and the authentication succeeds by receiving the GSS_S_COMPLETE status or we continue negotiating when the GSS_S_CONTINUE_NEEDED is received. The SoupAuth object is marked as not authenticated if a user will try to call the soup_auth_authenticate() with the credentials provided as this is not supported. If the libsoup is configured with GSS-Negotiate support, a Kerberos library with GSSAPI support needs to be available on the system (MIT Kerberos was tested while working on this). Developers can check whether the libsoup was compiled with the GSS-Negotiate support enabled by checking the soup_auth_negotiate_supported() function. To easily test the GSS-Negotiate functionality a new argument "N" was added to the examples/get utility. A support for NTLMSSP is provided by this patch given that a Kerberos library supports NTLMSSP mechanism via GSSAPI. For MIT Kerberos one can use gss-ntlmssp module, https://fedorahosted.org/gss-ntlmssp/. Co-Authored-By: Tomas Popela <tpopela@redhat.com> Co-Authored-By: David Woodhouse <dwmw2@infradead.org> Co-Authored-By: Dan Winship <danw@gnome.org>
Diffstat (limited to 'NEWS')
0 files changed, 0 insertions, 0 deletions