Open cal-jlab opened 2 months ago
kofemann
commented
1 month ago @cal-jlab somehow I miss my earlier comment here...anyway
accorgin GSI standard, the delegation should be requested by client. In case of xroot, this is triggerd by client sending kXGC_certreq. Do you observe different behavior?
cal-jlab
commented
1 month ago This is the code I'm talking about. The server always sends the signing request to the client if the client supports it, even if the server has no need for it. This happens in response to kXGC_cert, not kXGC_certreq.
Hi there! I encountered an issue that was preventing me from using xrootd4j as a load-balancer for delegated third-party copies when using GSI authentication. Specifically, the class GSIPost49ServerRequestHandler always requests a proxy certificate from the client if the client is capable of creating one, even if the server has no need for it. Rather than implement the whole X509ProxyDelegationClient interface (and the requisite underpinnings) for no real purpose, I simply disabled the request in a forked copy of xrootd4j. I would offer to contribute some changes to this logic, but it's not clear what would be the correct way to modify the code to make the proxy request optional, as opposed to simply disabling that bit of code.