Reuse SPNEGO token until expiry and reset on expiration

Signed-off-by: raccoonback <[email protected]>

Author: raccoonback

reactor-netty-examples/src/main/java/reactor/netty/examples/documentation/http/client/spnego/Application.java

@@ -29,7 +29,7 @@ public static void main(String[] args) {
 
 		SpnegoAuthenticator authenticator = new JaasAuthenticator("KerberosLogin"); // <4>
 		HttpClient client = HttpClient.create()
-				.spnego(SpnegoAuthProvider.create(authenticator)); // <5>
+				.spnego(SpnegoAuthProvider.create(authenticator, 401)); // <5>
 
 		client.get()
 				.uri("http://protected.example.com/")

reactor-netty-http/src/main/java/reactor/netty/http/client/HttpClientConnect.java

@@ -446,6 +446,15 @@ public Context currentContext() {
 		@Override
 		public void onStateChange(Connection connection, State newState) {
 			if (newState == HttpClientState.RESPONSE_RECEIVED) {
+				HttpClientOperations operations = connection.as(HttpClientOperations.class);
+				if (operations != null && handler.spnegoAuthProvider != null) {
+					int statusCode = operations.status().code();
+					HttpHeaders headers = operations.responseHeaders();
+					if (handler.spnegoAuthProvider.isUnauthorized(statusCode, headers)) {
+						handler.spnegoAuthProvider.invalidateCache();
+					}
+				}
+
 				sink.success(connection);
 				return;
 			}

reactor-netty-http/src/main/java/reactor/netty/http/client/SpnegoAuthProvider.java

@@ -18,6 +18,7 @@
 import static reactor.core.scheduler.Schedulers.boundedElastic;
 
 import io.netty.handler.codec.http.HttpHeaderNames;
+import io.netty.handler.codec.http.HttpHeaders;
 import java.net.InetSocketAddress;
 import java.security.PrivilegedAction;
 import java.util.Base64;
@@ -49,28 +50,36 @@
  */
 public final class SpnegoAuthProvider {
 
+	private static final String SPNEGO_HEADER = "Negotiate";
+	private static final String STR_OID = "1.3.6.1.5.5.2";
+
 	private final SpnegoAuthenticator authenticator;
 	private final GSSManager gssManager;
+	private final int unauthorizedStatusCode;
+
+	private volatile String verifiedAuthHeader;
 
 	/**
 	 * Constructs a new SpnegoAuthProvider with the given authenticator and GSSManager.
 	 *
 	 * @param authenticator the authenticator to use for JAAS login
 	 * @param gssManager the GSSManager to use for SPNEGO token generation
 	 */
-	private SpnegoAuthProvider(SpnegoAuthenticator authenticator, GSSManager gssManager) {
+	private SpnegoAuthProvider(SpnegoAuthenticator authenticator, GSSManager gssManager, int unauthorizedStatusCode) {
 		this.authenticator = authenticator;
 		this.gssManager = gssManager;
+		this.unauthorizedStatusCode = unauthorizedStatusCode;
 	}
 
 	/**
 	 * Creates a new SPNEGO authentication provider using the default GSSManager instance.
 	 *
 	 * @param authenticator the authenticator to use for JAAS login
+	 * @param unauthorizedStatusCode the HTTP status code that indicates authentication failure
 	 * @return a new SPNEGO authentication provider
 	 */
-	public static SpnegoAuthProvider create(SpnegoAuthenticator authenticator) {
-		return create(authenticator, GSSManager.getInstance());
+	public static SpnegoAuthProvider create(SpnegoAuthenticator authenticator, int unauthorizedStatusCode) {
+		return create(authenticator, GSSManager.getInstance(), unauthorizedStatusCode);
 	}
 
 	/**
@@ -81,10 +90,11 @@ public static SpnegoAuthProvider create(SpnegoAuthenticator authenticator) {
 	 *
 	 * @param authenticator the authenticator to use for JAAS login
 	 * @param gssManager the GSSManager to use for SPNEGO token generation
+	 * @param unauthorizedStatusCode the HTTP status code that indicates authentication failure
 	 * @return a new SPNEGO authentication provider
 	 */
-	public static SpnegoAuthProvider create(SpnegoAuthenticator authenticator, GSSManager gssManager) {
-		return new SpnegoAuthProvider(authenticator, gssManager);
+	public static SpnegoAuthProvider create(SpnegoAuthenticator authenticator, GSSManager gssManager, int unauthorizedStatusCode) {
+		return new SpnegoAuthProvider(authenticator, gssManager, unauthorizedStatusCode);
 	}
 
 	/**
@@ -100,24 +110,31 @@ public static SpnegoAuthProvider create(SpnegoAuthenticator authenticator, GSSMa
 	 * @throws RuntimeException if login or token generation fails
 	 */
 	public Mono<Void> apply(HttpClientRequest request, InetSocketAddress address) {
+		if (verifiedAuthHeader != null) {
+			request.header(HttpHeaderNames.AUTHORIZATION, verifiedAuthHeader);
+			return Mono.empty();
+		}
+
 		return Mono.fromCallable(() -> {
 				try {
 					return Subject.doAs(
 						authenticator.login(),
 						(PrivilegedAction<byte[]>) () -> {
 							try {
 								byte[] token = generateSpnegoToken(address.getHostName());
-								String authHeader = "Negotiate " + Base64.getEncoder().encodeToString(token);
+								String authHeader = SPNEGO_HEADER + " " + Base64.getEncoder().encodeToString(token);
+
+								verifiedAuthHeader = authHeader;
 								request.header(HttpHeaderNames.AUTHORIZATION, authHeader);
 								return token;
 							}
-              catch (GSSException e) {
+							catch (GSSException e) {
 								throw new RuntimeException("Failed to generate SPNEGO token", e);
 							}
 						}
 					);
 				}
-        catch (LoginException e) {
+				catch (LoginException e) {
 					throw new RuntimeException("Failed to login with SPNEGO", e);
 				}
 			})
@@ -138,9 +155,41 @@ public Mono<Void> apply(HttpClientRequest request, InetSocketAddress address) {
 	 */
 	private byte[] generateSpnegoToken(String hostName) throws GSSException {
 		GSSName serverName = gssManager.createName("HTTP/" + hostName, GSSName.NT_HOSTBASED_SERVICE);
-		Oid spnegoOid = new Oid("1.3.6.1.5.5.2"); // SPNEGO OID
+		Oid spnegoOid = new Oid(STR_OID); // SPNEGO OID
 
 		GSSContext context = gssManager.createContext(serverName, spnegoOid, null, GSSContext.DEFAULT_LIFETIME);
 		return context.initSecContext(new byte[0], 0, 0);
 	}
+
+	/**
+	 * Invalidates the cached authentication token.
+	 * <p>
+	 * This method should be called when a response indicates that the current token
+	 * is no longer valid (typically after receiving an unauthorized status code).
+	 * The next request will generate a new authentication token.
+	 * </p>
+	 */
+	public void invalidateCache() {
+		this.verifiedAuthHeader = null;
+	}
+
+	/**
+	 * Checks if the response indicates an authentication failure that requires a new token.
+	 * <p>
+	 * This method checks both the status code and the WWW-Authenticate header to determine
+	 * if a new SPNEGO token needs to be generated.
+	 * </p>
+	 *
+	 * @param status the HTTP status code
+	 * @param headers the HTTP response headers
+	 * @return true if the response indicates an authentication failure
+	 */
+	public boolean isUnauthorized(int status, HttpHeaders headers) {
+		if (status != unauthorizedStatusCode) {
+			return false;
+		}
+
+		String header = headers.get(HttpHeaderNames.WWW_AUTHENTICATE);
+		return header != null && header.startsWith(SPNEGO_HEADER);
+	}
 }

reactor-netty-http/src/main/java/reactor/netty/http/client/SpnegoAuthenticator.java

@@ -21,7 +21,7 @@
 /**
  * An abstraction for authentication logic used by SPNEGO providers.
  * <p>
- * Implementations are responsible for performing a JAAS login and returning a logged-in Subject.
+ * Implementations are responsible for performing a login and returning a logged-in Subject.
  * </p>
  *
  * @author raccoonback
@@ -30,9 +30,9 @@
 public interface SpnegoAuthenticator {
 
 	/**
-	 * Performs a JAAS login and returns the authenticated Subject.
+	 * Performs a login and returns the authenticated Subject.
 	 *
-	 * @return the authenticated JAAS Subject
+	 * @return the authenticated Subject
 	 * @throws LoginException if login fails
 	 */
 	Subject login() throws LoginException;

reactor-netty-http/src/test/java/reactor/netty/http/client/SpnegoAuthProviderTest.java

@@ -91,7 +91,8 @@ void negotiateSpnegoAuthenticationWithHttpClient() throws GSSException {
 									principals.add(new KerberosPrincipal("test@LOCALHOST"));
 									return new Subject(true, principals, new HashSet<>(), new HashSet<>());
 								},
-								gssManager
+								gssManager,
+								401
 						)
 				)
 				.wiretap(true)