WebClient through kerberos secured proxy is not working

[bmohareb]

Questions

I am trying to access a website using the vert.x WebClient but it seems that the WebClient is not able to make the connection.

Checked the "httpclient" inside org.apache.httpcomponents, and I can go through the proxy without issues, but I am using vert.x so need the WebClient to work.

Looked into the org.apache.httpcomponents code and found this is what its doing:

1. Create a socket connection to the secure proxy.
2. Issue a connect request to the proxy server over the socket.
3. The proxy server challenge the connect request and returns back headers that includes "Negotiate".
4. Generate a kerberos token from the KDC for the proxy server.
5. Send over the socket the connect request again with the header:
   "Proxy-Authorization: Negotiate "
6. The connection is then successful.
7. The socket is then upgraded to TLS.

WebClient is not able to do that, I tried to do the bits of obtaining the Token and passing it in the "Proxy-Authorization" header in a connect request, but its not working, Still getting "407 Proxy Authentication Required".

Version

Same issue on 4.4.3 and 4.5.3

Context

I encountered an exception which looks suspicious while ...

Do you have a reproducer?

No

Steps to reproduce

Just a simple WebClient.getAbs(...) request where ProxyOptions are specified.

[vietj]

a reproducer would be helpfull

[bmohareb]

`
// This will obtain the token from local cache and connect to KDC to obtain token for the proxy
public String getToken() throws GSSException {

    Oid spnegoOid = new Oid("1.3.6.1.5.5.2");
    GSSManager manager = GSSManager.getInstance();
    // This is the secure proxy server that we want to authenticate to using kerberos
    String serverPrinciple = "HTTP@myproxy.com";
    GSSName serverName = manager.createName(serverPrinciple, GSSName.NT_HOSTBASED_SERVICE);
    GSSContext clientContext = manager.createContext(
            serverName.canonicalize(spnegoOid), spnegoOid, null, GSSContext.DEFAULT_LIFETIME);
    clientContext.requestMutualAuth(true);
    byte[] clientToken = clientContext.initSecContext(new byte[0], 0, 0);
    return Base64.getEncoder().encodeToString(clientToken);
}


@Test
public void testSecureProxy3(Vertx vertx, VertxTestContext ctx) throws GSSException {

    System.setProperty("java.security.krb5.conf", "krb5.conf");
    System.setProperty("java.security.auth.login.config", "jaas.conf");
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
    System.setProperty("sun.security.krb5.debug", "true");
    System.setProperty("sun.security.jgss.debug", "true");

    WebClientOptions wco = new WebClientOptions()
            .setFollowRedirects(true)
            .setSsl(true);

    ProxyOptions po = new ProxyOptions()
            .setHost("myproxy.com")
            .setPort(1234);

    wco.setProxyOptions(po);

    WebClient wc = WebClient.create(vertx, wco);

    String token = getToken();

    wc
            .getAbs("https://website_to_reach_through_proxy.com")
            .putHeader("Proxy-Authorization", "Negotiate " + token)
            .send()
            .onFailure(error -> {    // This is always returning 407 error code
                System.out.println(error.getMessage());
                ctx.failNow(error);
            })
            .onSuccess(result -> {
                System.out.println(result);
                ctx.completeNow();
            });

}

`

[vietj]

I'm afraid we don't support that in Vert.x, we support proxy authentication through Netty HttpProxyHandler that only supports basic authentication. There are chances that this can be achieved by contributing an enhancement in Netty proxy handler.