P3
According to https://docs.oracle.com/javase/8/docs/technotes/guides/net/http-auth.html , an HTTP client should try to use another HTTP authentication scheme if negotiate process failed for some reason, and a user didn't specify SPNEGO or Kerberos in "http.auth.preference" system property:
...
Fallback
If the server has provided more than one authentication schemes (including Negotiate), according to the processing order mentioned in the last section, Java will try to challenge the Negotiate scheme. However, if the protocol cannot be established successfully (e.g. The kerberos configuration is not correct, or the server's hostname is not recorded in the KDC principal DB, or the username and password provided by Authenticator is wrong), then the 2nd strongest scheme will be automatically used. Attention : If http.auth.preference is set to SPNEGO or Kerberos, then we assume you only want to try the Negotiate scheme even if it fails. we won't fallback to any other scheme and your program will result in throwing an IOException saying it receives a 401 or 407 error from the HTTP response.
...
But no fallback happens if:
- an HTTP server supports both Negotiate (via Kerberos) and Basic authentication schemes
- first, a user provides correct Kerberos credentials, and a connection is successfully established with Negotiate scheme
- then, a user provides wrong Kerberos credentials, but correct Basic credentials
In this case, an HTTP client doesn't try to use correct Basic credentials. The webrev below contains a test to reproduce it.
This may be fixed with the following patch:
http://cr.openjdk.java.net/~asmotrak/http_auth_negotiate_fallback/webrev.00/
...
Fallback
If the server has provided more than one authentication schemes (including Negotiate), according to the processing order mentioned in the last section, Java will try to challenge the Negotiate scheme. However, if the protocol cannot be established successfully (e.g. The kerberos configuration is not correct, or the server's hostname is not recorded in the KDC principal DB, or the username and password provided by Authenticator is wrong), then the 2nd strongest scheme will be automatically used. Attention : If http.auth.preference is set to SPNEGO or Kerberos, then we assume you only want to try the Negotiate scheme even if it fails. we won't fallback to any other scheme and your program will result in throwing an IOException saying it receives a 401 or 407 error from the HTTP response.
...
But no fallback happens if:
- an HTTP server supports both Negotiate (via Kerberos) and Basic authentication schemes
- first, a user provides correct Kerberos credentials, and a connection is successfully established with Negotiate scheme
- then, a user provides wrong Kerberos credentials, but correct Basic credentials
In this case, an HTTP client doesn't try to use correct Basic credentials. The webrev below contains a test to reproduce it.
This may be fixed with the following patch:
http://cr.openjdk.java.net/~asmotrak/http_auth_negotiate_fallback/webrev.00/