aws-sdk-java-v2
aws-sdk-java-v2 copied to clipboard
aws
SDK support for Proxy requiring Kerberos auth
Describe the feature
AWS SDK2 Java does not provide ability to authenticate to AWS STS via proxy that requires Kerberos Authentication.
Use Case
Need to connect from on-prem to AWS STS API via proxy which requires Kerberos authentication .
We have run into a limitation of the AWS SDK ApacheHttpClient which doesn’t allow for customization of the builder: https://github.com/aws/aws-sdk-java-v2/blob/2.20.156/http-clients/apache-client/src/main/java/software/amazon/awssdk/http/apache/ApacheHttpClient.java#L153 which is required for us to configure the setDefaultAuthSchemeRegistry and setDefaultCredentialsProvider:
Proposed Solution
As a workaround we implemented a forked implementation of the AWS ApacheHttpClient to override the AuthSchemeProvider which will consider canonicalHostName of proxy by default for kerberos authemtication .
We added below code snippet to the builder at the following line https://github.com/aws/aws-sdk-java-v2/blob/2.20.156/http-clients/apache-client/src/main/java/software/amazon/awssdk/http/apache/ApacheHttpClient.java#L153
Registry<AuthSchemeProvider> authSchemeProviderRegistry = configuration.authSchemeProviderRegistry;
if (authSchemeProviderRegistry == null) {
authSchemeProviderRegistry = RegistryBuilder.<AuthSchemeProvider>create()
.register(AuthSchemes.BASIC, new BasicSchemeFactory())
.register(AuthSchemes.DIGEST, new DigestSchemeFactory())
.register(AuthSchemes.NTLM, new NTLMSchemeFactory())
.register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, false))
.register(AuthSchemes.KERBEROS, new KerberosSchemeFactory(true, false)).build();
}
builder.setDefaultAuthSchemeRegistry(authSchemeProviderRegistry);
We also had to use this system property in our application to make the kerberos negotiator work with AWS SDK Java 2 client
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
Other Information
No response
Acknowledgements
- [ ] I may be able to implement this feature request
- [ ] This feature might incur a breaking change
AWS Java SDK version used
aws sdk java v2
JDK version used
17 and 21
Operating System and version
Windows Server 2016 Standard/ Linux
@PankajSAgarwal I believe you submitted a Premium Support case with the same ask. As we said in the case, we've added this to our backlog.
For a similar feature request, we exposed the Apache HttpRoutePlanner attribute in the SDK ApacheHttpClient builder (javadocs). It's not exactly the feature you are asking for, but maybe you can use HttpRoutePlanner to redirect the flow to the authentication server?
@debora-ito , yes that is correct , I was advised by support personal on the case to raise a feature request for the same on Github.
I was advised by support personal on the case to raise a feature request for the same on Github.
Understood.
What about Apache HttpRoutePlanner, would it work for you?
I was advised by support personal on the case to raise a feature request for the same on Github.
Understood.
What about Apache HttpRoutePlanner, would it work for you?
HttpRoutePlanner will not work as well , HttpRoutePlanner can direct me to proxy and i can use basic authentication , but my requirement is to be able add kerberos Auth scheme for authentication to proxy , which HttpRoutePlanner doesn't seem to be supporting .