Skip to content

Commit

Permalink
remote-curl: fall back to Basic auth if Negotiate fails
Browse files Browse the repository at this point in the history
Apache servers using mod_auth_kerb can be configured to allow the user
to authenticate either using Negotiate (using the Kerberos ticket) or
Basic authentication (using the Kerberos password).  Often, one will
want to use Negotiate authentication if it is available, but fall back
to Basic authentication if the ticket is missing or expired.

However, libcurl will try very hard to use something other than Basic
auth, even over HTTPS.  If Basic and something else are offered, libcurl
will never attempt to use Basic, even if the other option fails.
Teach the HTTP client code to stop trying authentication mechanisms that
don't use a password (currently Negotiate) after the first failure,
since if they failed the first time, they will never succeed.

Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
  • Loading branch information
brian m. carlson authored and Junio C Hamano committed Jan 8, 2015
1 parent 7ba4626 commit 4dbe664
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions http.c
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,9 @@ static const char *user_agent;

static struct credential cert_auth = CREDENTIAL_INIT;
static int ssl_cert_password_required;
#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY
static unsigned long http_auth_methods = CURLAUTH_ANY;
#endif

static struct curl_slist *pragma_header;
static struct curl_slist *no_pragma_header;
Expand Down Expand Up @@ -580,6 +583,9 @@ struct active_request_slot *get_active_slot(void)
curl_easy_setopt(slot->curl, CURLOPT_UPLOAD, 0);
curl_easy_setopt(slot->curl, CURLOPT_HTTPGET, 1);
curl_easy_setopt(slot->curl, CURLOPT_FAILONERROR, 1);
#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY
curl_easy_setopt(slot->curl, CURLOPT_HTTPAUTH, http_auth_methods);
#endif
if (http_auth.password)
init_curl_http_auth(slot->curl);

Expand Down Expand Up @@ -870,6 +876,9 @@ int handle_curl_result(struct slot_results *results)
credential_reject(&http_auth);
return HTTP_NOAUTH;
} else {
#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY
http_auth_methods &= ~CURLAUTH_GSSNEGOTIATE;
#endif
return HTTP_REAUTH;
}
} else {
Expand Down Expand Up @@ -986,6 +995,7 @@ static void extract_content_type(struct strbuf *raw, struct strbuf *type,
strbuf_addstr(charset, "ISO-8859-1");
}


/* http_request() targets */
#define HTTP_REQUEST_STRBUF 0
#define HTTP_REQUEST_FILE 1
Expand Down

0 comments on commit 4dbe664

Please sign in to comment.