| Summary: | kio_http unable to use NTLM authentication scheme | ||
|---|---|---|---|
| Product: | [Unmaintained] kio | Reporter: | Andrea Iacovitti <aiacovitti> |
| Component: | http | Assignee: | kdelibs bugs <kdelibs-bugs> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | adawit, bugs.kde.org |
| Priority: | HI | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Platform: | Compiled Sources | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed In: | 4.7.3 | |
| Sentry Crash Report: | |||
| Attachments: | Debug log with both debug areas 7103 and 7113 enabled | ||
|
Description
Andrea Iacovitti
2011-10-24 15:00:14 UTC
Setting Priority to high. I think it would be good to specify in the popup window that ask for username/password the authentication scheme we are going to use. I was convinced i was using NTLM before sniffing the network traffic... Follow the following steps to enable persistent proxy connection: 1.) In Konqueror, select Settings->Configure Konqueror 2.) In the configuration dialog, select Proxy. 3.) Under options, make sure "Use persistent connections to proxy" is checked. That should solve your problem. For KDE 4.7.3, that option will no longer have any effect on kio_http since it will completely ignore it and always use persistent connection unless the server tells it otherwise. For KDE 4.8 the GUI has been updated and the option mentioned above is no longer there. That should solve your problem. > Follow the following steps to enable persistent proxy connection: > > 1.) In Konqueror, select Settings->Configure Konqueror > 2.) In the configuration dialog, select Proxy. > 3.) Under options, make sure "Use persistent connections to proxy" is checked. > Done what you mentioned above in KDE 4.6.5 and i have got the exactly same problem described in comment #0: kio_http sends "proxy-connection: close" after the first 407 response from the proxy and the authentication downgrades to Basic. > That should solve your problem. For KDE 4.7.3, that option will no longer have > any effect on kio_http since it will completely ignore it and always use > persistent connection unless the server tells it otherwise. For KDE 4.8 the GUI > has been updated and the option mentioned above is no longer there. May be you missed what i wrote in the first line of this report "Tested against latest 4.7 branch" ;- Anyway i checked out today kde/4.7 from git and recompiled it: i can (re)confirm the issue. So, reopening the bug... (In reply to comment #3) > > That should solve your problem. For KDE 4.7.3, that option will no longer have > > any effect on kio_http since it will completely ignore it and always use > > persistent connection unless the server tells it otherwise. For KDE 4.8 the GUI > > has been updated and the option mentioned above is no longer there. > > May be you missed what i wrote in the first line of this report "Tested against > latest 4.7 branch" ;- Ah... I indeed missed that. I only saw the version 4.7.2 and did not notice you tested against the branch which is effectively 4.7.3. > Anyway i checked out today kde/4.7 from git and recompiled it: i can > (re)confirm the issue. So, reopening the bug... Right. The keepAlive flag needs to be reset when retrying a 401 or 407 request. That is indeed a logical error on our part. Will fix it soon. Git commit c2eb8c4225e2d7b6394e7f1c4a805f1f27763430 by Dawit Alemayehu. Committed on 25/10/2011 at 20:14. Pushed by adawit into branch 'KDE/4.7'. If m_request.isKeepAlive flag is false and the request has to be retried, e.g. in case of HTTP authentication, then make sure the isKeepAlive flag is reset to true since we have already carried out what the server requested and closed the previous connection. Otherwise, proxied connections that rely on authentication scheme that requires persistent connection such as NTLM will fail. BUG: 284870 FIXED-IN: 4.7.3 M +2 -0 kioslave/http/http.cpp http://commits.kde.org/kdelibs/c2eb8c4225e2d7b6394e7f1c4a805f1f27763430 Bad regression by the previous commit, it causes infinite loop. Tested against up to date KDE/4.7 branch. Reverting only the mentioned commit make the loop goes away but the authentication scheme is downgraded to Basic as before. GET http://www.debian.org/ HTTP/1.1 Host: www.debian.org Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (X11; Linux i686) KHTML/4.7.2 (like Gecko) Konqueror/4.7 Pragma: no-cache Cache-control: no-cache Accept: text/html, text/*;q=0.9, image/jpeg;q=0.9, image/png;q=0.9, image/*;q=0.9, */*;q=0.8 Accept-Encoding: gzip, deflate, x-gzip, x-deflate Accept-Charset: utf-8,*;q=0.5 Accept-Language: en-US,en;q=0.9 HTTP/1.0 407 Proxy Authentication Required Server: squid/2.7.STABLE3 Date: Wed, 26 Oct 2011 12:39:30 GMT Content-Type: text/html Content-Length: 1311 Expires: Wed, 26 Oct 2011 12:39:30 GMT X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: NTLM Proxy-Authenticate: Basic realm="XXXXXXX ......" X-Cache: MISS from proxy.name X-Cache-Lookup: NONE from proxy.name:8080 Via: 1.0 proxy.name:8080 (squid/2.7.STABLE3) Connection: close GET http://www.debian.org/ HTTP/1.1 Host: www.debian.org Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (X11; Linux i686) KHTML/4.7.2 (like Gecko) Konqueror/4.7 Pragma: no-cache Cache-control: no-cache Accept: text/html, text/*;q=0.9, image/jpeg;q=0.9, image/png;q=0.9, image/*;q=0.9, */*;q=0.8 Accept-Encoding: gzip, deflate, x-gzip, x-deflate Accept-Charset: utf-8,*;q=0.5 Accept-Language: en-US,en;q=0.9 Proxy-Authorization: NTLM TlRMTVNTUAABAAA... HTTP/1.0 407 Proxy Authentication Required Server: squid/2.7.STABLE3 Date: Wed, 26 Oct 2011 12:39:30 GMT Content-Type: text/html Content-Length: 1311 Expires: Wed, 26 Oct 2011 12:39:30 GMT X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: NTLM TlRMTVNTUAACAAAADgAOADAAA..... X-Cache: MISS from proxy.name X-Cache-Lookup: NONE from proxy.name:8080 Via: 1.0 proxy.name:8080 (squid/2.7.STABLE3) Connection: keep-alive Proxy-Connection: keep-alive GET http://www.debian.org/ HTTP/1.1 Host: www.debian.org Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (X11; Linux i686) KHTML/4.7.2 (like Gecko) Konqueror/4.7 Pragma: no-cache Cache-control: no-cache Accept: text/html, text/*;q=0.9, image/jpeg;q=0.9, image/png;q=0.9, image/*;q=0.9, */*;q=0.8 Accept-Encoding: gzip, deflate, x-gzip, x-deflate Accept-Charset: utf-8,*;q=0.5 Accept-Language: en-US,en;q=0.9 Proxy-Authorization: NTLM TlRMTVNTUAABAA........ HTTP/1.0 407 Proxy Authentication Required Server: squid/2.7.STABLE3 Date: Wed, 26 Oct 2011 12:39:30 GMT Content-Type: text/html Content-Length: 1311 Expires: Wed, 26 Oct 2011 12:39:30 GMT X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: NTLM Proxy-Authenticate: Basic realm="XXXXXXX - Inserire credenziali per la navigazione" X-Cache: MISS from proxy.name X-Cache-Lookup: NONE from proxy.name:8080 Via: 1.0 proxy.name:8080 (squid/2.7.STABLE3) Connection: close GET http://www.debian.org/ HTTP/1.1 Host: www.debian.org Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (X11; Linux i686) KHTML/4.7.2 (like Gecko) Konqueror/4.7 Pragma: no-cache Cache-control: no-cache Accept: text/html, text/*;q=0.9, image/jpeg;q=0.9, image/png;q=0.9, image/*;q=0.9, */*;q=0.8 Accept-Encoding: gzip, deflate, x-gzip, x-deflate Accept-Charset: utf-8,*;q=0.5 Accept-Language: en-US,en;q=0.9 Proxy-Authorization: NTLM TlRMTVNTUAABAA......... ....and so on Ok. (In reply to comment #6) > Bad regression by the previous commit, it causes infinite loop. > Tested against up to date KDE/4.7 branch. > Reverting only the mentioned commit make the loop goes away but the > authentication scheme is downgraded to Basic as before. Hmm... That is the correct fix. IOW, it corrects the previous bug, but exposes another one. I already see the problem from the output you provided. NTLM is a two stage authentication scheme and as such there will be two 407 response from the server, but the second response from the client (kio_http) should be completely different from the first one but does not seem to be from what you posted above. To get to the bottom of this new issue, can you please follow the instructions in the link below and generate the kio_http debug messages and post it here or send it directly to my email address in this bug report ? http://techbase.kde.org/Development/Tutorials/Debugging/Debugging_IOSlaves#How_to_get_debug_output Please save the output from both debug areas (7103 and 7113) to the same output file. Created attachment 64898 [details]
Debug log with both debug areas 7103 and 7113 enabled
Git commit c95849d0a4d20357377aec8f40be71f24256afc0 by Dawit Alemayehu. Committed on 27/10/2011 at 00:20. Pushed by adawit into branch 'KDE/4.7'. Fix NTLM authentication yet again, but this time added a unit test to make sure the regression does not occur again. BUG: 284870 FIXED-IN: 4.7.3 M +6 -7 kioslave/http/httpauthentication.cpp M +28 -13 kioslave/http/tests/httpauthenticationtest.cpp http://commits.kde.org/kdelibs/c95849d0a4d20357377aec8f40be71f24256afc0 (In reply to comment #8) > Created an attachment (id=64898) [details] > Debug log with both debug areas 7103 and 7113 enabled Let me know if the comment shown in comment #9 does not fix your problem. The patch works fine, thanks! Just a question: is there any reason to not always send "Connection/Proxy-Connection: keep-alive" in our requests given that we are an HTTP/1.1 client? As i understand from RFC this is just a way to inform remote side, that could only speak HTTP/1.0, that we support keep-alive connections. I have quick tested other browsers too and it seems they behave this manner. But may be i missed something.... (In reply to comment #11) > The patch works fine, thanks! > > Just a question: is there any reason to not always send > "Connection/Proxy-Connection: keep-alive" in our requests given that we are an > HTTP/1.1 client? Starting with KDE 4.7.3 that is exactly what kio_http does. The option in the proxy configuration dialog will be ignored from that version onwards. For KDE 4.8, the proxy configuration dialog has been completely redesigned and the persistent proxy option thingy has been removed. See https://git.reviewboard.kde.org/r/102802/. *** Bug 202379 has been marked as a duplicate of this bug. *** |