commons http 客户端 - 协商时的 kerberos 令牌有 \r\n (回车换行)字符
我正在尝试使用 jakarta commons http 客户端。进行 kerberos 身份验证以与服务器通信。认证总是失败。经过深入研究,我发现 kerberos 令牌标头中包含回车换行符,这是问题的根本原因。为什么它有 \r\n 字符以及为什么这是一个问题?
I am trying to use jakarta commons http client. Doing kerberos authentication to communicate with a server. Authentication always fails. On digging deeper I found out that the kerberos token header has carriage return line feed characters in it which is the root cause of the issue. Why does it have \r\n characters and why is that an issue?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
kerberos 令牌中的 \r\n 字符是一个问题,因为 \r 是 HTTP 控制字符。这本质上意味着服务器只看到令牌的第一行并忽略其余部分,因此身份验证失败。更糟糕的是,令牌的下一个点赞将被视为新标头,并且不会被很好地格式化。所以http服务器会崩溃。
发生这种情况的原因是 RFC 1521 规范规定 Base64 编码行长度限制为 76 个字符。因此 \r\n 个字符。这对于 HTTP 协议来说效果不佳。仅当您使用 Base64 编码的 Kerberos 令牌时才会出现此情况。
因此,解决方案是从 kerberos base64 编码的令牌标头中删除 \r\n 字符。此外,旧版本的 apache commons 编解码器不会将 base64 编码限制为 76 行,因此不是问题。因此,如果您对编码感兴趣,请删除有问题的字符。如果您不这样做,则将旧版本的 apache commons 代码与 commons-httpclient 一起使用。
\r\n characters in the kerberos token is an issue because \r is an HTTP control characters. That essentially means that the server only sees first line of the token and ignores rest hence failing authentication. To make it worse, the next likes of the token are treated as new headers and will not be formatted well. So http server will freak out.
The reason this happens is because RFC 1521 specification says that base64 encoding line length is limited at 76 characters. Hence \r\n characters. And this does not work well with HTTP protocol. This surfaces only if you use Kerberos tokens that are base64 encoded.
So solution to this is to strip out \r\n characters from the kerberos base64 encoded token header. Also, older versions of apache commons codec will not limit base64 encoding to 76 lines and hence not an issue. So if you have hook into encoding, strip out the problematic characters. If you don't then use older version of apache commons code with commons-httpclient.