aboutsummaryrefslogtreecommitdiffstats
path: root/org.eclipse.jgit
diff options
context:
space:
mode:
authorThomas Wolf <thomas.wolf@paranor.ch>2017-11-15 23:23:27 +0100
committerMatthias Sohn <matthias.sohn@sap.com>2017-12-06 17:12:48 -0500
commit7f2ef4b6bac25c0690e0c67617000863ca7364b8 (patch)
treeb42ba3d02147f140c9fe7d3d97e0af4d81123eb4 /org.eclipse.jgit
parentdf3a7c32a41699b42b052ef9f62b1725928387b1 (diff)
downloadjgit-7f2ef4b6bac25c0690e0c67617000863ca7364b8.tar.gz
jgit-7f2ef4b6bac25c0690e0c67617000863ca7364b8.zip
TransportHttp: retry on IOException with another mechanism
When a 401 occurs on POST and the server advertises Negotiate, we may get an exception from GSSAPI if the client isn't configured at all for Kerberos. Add exception logic similar to the GET case: keep trying other authentication mechanisms if this occurs. Bug: 501167 Change-Id: Ic3a3368378d4b3408a35aec93e78ef425d54b3e4 Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
Diffstat (limited to 'org.eclipse.jgit')
-rw-r--r--org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java29
1 files changed, 22 insertions, 7 deletions
diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java
index 7c3f738d9c..35bbd10d79 100644
--- a/org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java
+++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java
@@ -1257,13 +1257,7 @@ public class TransportHttp extends HttpTransport implements WalkTransport,
}
authAttempts = 1;
// We only do the Kerberos part of SPNEGO, which
- // requires only one attempt. We do *not* to the
- // NTLM part of SPNEGO; it's a multi-round
- // negotiation and among other problems it would
- // be unclear when to stop if no HTTP_OK is
- // forthcoming. In theory a malicious server
- // could keep sending requests for another NTLM
- // round, keeping a client stuck here.
+ // requires only one round.
break;
default:
// DIGEST or BASIC. Let's be sure we ignore
@@ -1305,6 +1299,27 @@ public class TransportHttp extends HttpTransport implements WalkTransport,
} catch (SSLHandshakeException e) {
handleSslFailure(e);
continue; // Re-try
+ } catch (IOException e) {
+ if (authenticator == null || authMethod
+ .getType() != HttpAuthMethod.Type.NONE) {
+ // Can happen for instance if the server advertises
+ // Negotiate, but the client isn't configured for
+ // Kerberos. The first time (authenticator == null) we
+ // must re-try even if the authMethod was NONE: this may
+ // occur if the server advertised NTLM on the GET
+ // and the HttpConnection managed to successfully
+ // authenticate under the hood with NTLM. We might not
+ // have picked this up on the GET's 200 response.
+ if (authMethod.getType() != HttpAuthMethod.Type.NONE) {
+ ignoreTypes.add(authMethod.getType());
+ }
+ // Start over with the remaining available methods.
+ authMethod = HttpAuthMethod.Type.NONE.method(null);
+ authenticator = authMethod;
+ authAttempts = 1;
+ continue;
+ }
+ throw e;
}
}
}