Skip to content

Commit 4dbe664

Browse files
bk2204gitster
bk2204
authored and
gitster
committed
remote-curl: fall back to Basic auth if Negotiate fails
Apache servers using mod_auth_kerb can be configured to allow the user to authenticate either using Negotiate (using the Kerberos ticket) or Basic authentication (using the Kerberos password). Often, one will want to use Negotiate authentication if it is available, but fall back to Basic authentication if the ticket is missing or expired. However, libcurl will try very hard to use something other than Basic auth, even over HTTPS. If Basic and something else are offered, libcurl will never attempt to use Basic, even if the other option fails. Teach the HTTP client code to stop trying authentication mechanisms that don't use a password (currently Negotiate) after the first failure, since if they failed the first time, they will never succeed. Signed-off-by: brian m. carlson <[email protected]> Signed-off-by: Jeff King <[email protected]> Signed-off-by: Junio C Hamano <[email protected]>
1 parent 7ba4626 commit 4dbe664

File tree

1 file changed

+10
-0
lines changed

1 file changed

+10
-0
lines changed

http.c

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,9 @@ static const char *user_agent;
6262

6363
static struct credential cert_auth = CREDENTIAL_INIT;
6464
static int ssl_cert_password_required;
65+
#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY
66+
static unsigned long http_auth_methods = CURLAUTH_ANY;
67+
#endif
6568

6669
static struct curl_slist *pragma_header;
6770
static struct curl_slist *no_pragma_header;
@@ -580,6 +583,9 @@ struct active_request_slot *get_active_slot(void)
580583
curl_easy_setopt(slot->curl, CURLOPT_UPLOAD, 0);
581584
curl_easy_setopt(slot->curl, CURLOPT_HTTPGET, 1);
582585
curl_easy_setopt(slot->curl, CURLOPT_FAILONERROR, 1);
586+
#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY
587+
curl_easy_setopt(slot->curl, CURLOPT_HTTPAUTH, http_auth_methods);
588+
#endif
583589
if (http_auth.password)
584590
init_curl_http_auth(slot->curl);
585591

@@ -870,6 +876,9 @@ int handle_curl_result(struct slot_results *results)
870876
credential_reject(&http_auth);
871877
return HTTP_NOAUTH;
872878
} else {
879+
#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY
880+
http_auth_methods &= ~CURLAUTH_GSSNEGOTIATE;
881+
#endif
873882
return HTTP_REAUTH;
874883
}
875884
} else {
@@ -986,6 +995,7 @@ static void extract_content_type(struct strbuf *raw, struct strbuf *type,
986995
strbuf_addstr(charset, "ISO-8859-1");
987996
}
988997

998+
989999
/* http_request() targets */
9901000
#define HTTP_REQUEST_STRBUF 0
9911001
#define HTTP_REQUEST_FILE 1

0 commit comments

Comments
 (0)