search

aws / aws-sdk-java-v2

The official AWS SDK for Java - Version 2
Apache License 2.0
2.16k stars 833 forks source link

SDK support for Proxy requiring Kerberos auth #4767

Open PankajSAgarwal opened 9 months ago

PankajSAgarwal commented 9 months ago

Describe the feature

AWS SDK2 Java does not provide ability to authenticate to AWS STS via proxy that requires Kerberos Authentication.

Use Case

Need to connect from on-prem to AWS STS API via proxy which requires Kerberos authentication .

We have run into a limitation of the AWS SDK ApacheHttpClient which doesn’t allow for customization of the builder: https://github.com/aws/aws-sdk-java-v2/blob/2.20.156/http-clients/apache-client/src/main/java/software/amazon/awssdk/http/apache/ApacheHttpClient.java#L153 which is required for us to configure the setDefaultAuthSchemeRegistry and setDefaultCredentialsProvider:

Proposed Solution

As a workaround we implemented a forked implementation of the AWS ApacheHttpClient to override the AuthSchemeProvider which will consider canonicalHostName of proxy by default for kerberos authemtication .

We added below code snippet to the builder at the following line https://github.com/aws/aws-sdk-java-v2/blob/2.20.156/http-clients/apache-client/src/main/java/software/amazon/awssdk/http/apache/ApacheHttpClient.java#L153

Registry<AuthSchemeProvider> authSchemeProviderRegistry = configuration.authSchemeProviderRegistry;
        if (authSchemeProviderRegistry == null) {
            authSchemeProviderRegistry = RegistryBuilder.<AuthSchemeProvider>create()
                    .register(AuthSchemes.BASIC, new BasicSchemeFactory())
                    .register(AuthSchemes.DIGEST, new DigestSchemeFactory())
                    .register(AuthSchemes.NTLM, new NTLMSchemeFactory())
                    .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, false))
                    .register(AuthSchemes.KERBEROS, new KerberosSchemeFactory(true, false)).build();
        }
        builder.setDefaultAuthSchemeRegistry(authSchemeProviderRegistry);

We also had to use this system property in our application to make the kerberos negotiator work with AWS SDK Java 2 client

System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

Other Information

No response

Acknowledgements

AWS Java SDK version used

aws sdk java v2

JDK version used

17 and 21

Operating System and version

Windows Server 2016 Standard/ Linux

debora-ito commented 9 months ago

@PankajSAgarwal I believe you submitted a Premium Support case with the same ask. As we said in the case, we've added this to our backlog.

For a similar feature request, we exposed the Apache HttpRoutePlanner attribute in the SDK ApacheHttpClient builder (javadocs). It's not exactly the feature you are asking for, but maybe you can use HttpRoutePlanner to redirect the flow to the authentication server?

PankajSAgarwal commented 9 months ago

@debora-ito , yes that is correct , I was advised by support personal on the case to raise a feature request for the same on Github.

debora-ito commented 9 months ago

I was advised by support personal on the case to raise a feature request for the same on Github.

Understood.

What about Apache HttpRoutePlanner, would it work for you?

PankajSAgarwal commented 9 months ago

I was advised by support personal on the case to raise a feature request for the same on Github.

Understood.

What about Apache HttpRoutePlanner, would it work for you?

HttpRoutePlanner will not work as well , HttpRoutePlanner can direct me to proxy and i can use basic authentication , but my requirement is to be able add kerberos Auth scheme for authentication to proxy , which HttpRoutePlanner doesn't seem to be supporting .