requests-arcgis-auth icon indicating copy to clipboard operation
requests-arcgis-auth copied to clipboard

Published 20 hours ago verified publisher icon DOI-BLM

ArcGISServerAuth Kerberos fails if head method is not supported

Open pfoppe opened this issue 6 years ago • 1 comments

While attempting authenticated access to an SOE endpoint setup with web-tier security (Negotiate), the ArcGISServerAuth handler failed to authenticate with kerberos. The auth handler fell back to NTLM but the username/password is not supplied so the NTLM Auth handler throws an exception.

TODO:

  • Check for username/password. If not supplied, throw an exception (or warning) that can be handled. Do not let the NTLM Auth handler throw the exception when it tries to parse the domain\username
  • Handle this situation. Either do not execute a HEAD request (instead do get/post or the original request), or include the parameter f=json (what if it was not a json response format?)

Code Sample:

import requests
from requests_arcgis_auth import ArcGISServerAuth

url = r'https://www.example.com/arcgisauth/rest/services/<folder>/<svc>/MapServer/exts/<soe_extn_name>/<task_name>'
auth = ArcGISServerAuth()

params = {}
params['f'] = 'json'
params['myparam'] = 'myvalue'
response = requests.post(url,auth=auth,data=params)

Exception:

Traceback (most recent call last): File "C:\Python27\ArcGIS10.4\lib\bdb.py", line 400, in run exec cmd in globals, locals File "", line 1, in import sys File "c:...\requests\api.py", line 110, in post return request('post', url, data=data, json=json, **kwargs) File "c:...\requests\api.py", line 56, in request return session.request(method=method, url=url, **kwargs) File "c:...\requests\sessions.py", line 474, in request prep = self.prepare_request(req) File "c:...\requests\sessions.py", line 407, in prepare_request hooks=merge_hooks(request.hooks, self.hooks), File "c:...\requests\models.py", line 306, in prepare self.prepare_auth(auth, url) File "c:...\requests\models.py", line 543, in prepare_auth r = auth(self) File "C:...\requests_arcgis_auth\arcgis_auth.py", line 80, in call self._init(r) File "C:...\requests_arcgis_auth\arcgis_auth.py", line 94, in _init self._determine_auth_handler(r) File "C:...\requests_arcgis_auth\arcgis_auth.py", line 126, in _determine_auth_handler test_req = requests.head(r.url,auth=HttpNtlmAuth(self.username,self.password),verify=self.verify) File "c:...\requests_ntlm\requests_ntlm.py", line 28, in init self.domain, self.username = username.split('\', 1) AttributeError: 'NoneType' object has no attribute 'split'

Here is further information on the problem (attempting HTTPKerberosAuth on the endpoint without the ArcGISServerAuth handler in the mix):

from requests_kerberos import HTTPKerberosAuth
response = requests.head(url,auth=HTTPKerberosAuth())
print ("Status Code: {}".format(response.status_code))
print (response.headers)

Status Code: 405 {'Content-Length': '336', 'WWW-Authenticate': 'Negotiate YIG...+O6', 'Content-Encoding': 'gzip', 'Set-Cookie': 'AGSWA_ROLES=he...64=; expires=Mon, 09-Jul-2018 22:46:05 GMT; path=/; secure; HttpOnly', 'X-AspNet-Version': '4.0.30319', 'Vary': 'Origin', 'X-Powered-By': 'ASP.NET', 'Server': 'Microsoft-IIS/7.5, Apache-Coyote/1.1', 'Cache-Control': 'private', 'Date': 'Mon, 09 Jul 2018 22:41:05 GMT', 'Content-Type': 'text/html;charset=utf-8', 'Persistent-Auth': 'false'}

this threw an HTTP Status Code 405 (Method Not Allowed) implying the endpoint does not allow the HEAD request method.

However... if you provide the 'f=json' parameter (either as a body or URL string) then it works.

from requests_kerberos import HTTPKerberosAuth
response = requests.head(url,verify=False,auth=HTTPKerberosAuth(),data={'f':'json'})
print ("Request Body: {}".format(response.request.body))
print ("Status Code: {}".format(response.status_code))
print (response.headers)

Request Body: f=json Status Code: 200 {'Content-Length': '7295', 'WWW-Authenticate': 'Negotiate YIG...KXo', 'X-AspNet-Version': '4.0.30319', 'Set-Cookie': 'AGSWA_ROLES=heR...64=; expires=Mon, 09-Jul-2018 22:57:53 GMT; path=/; secure; HttpOnly', 'X-Powered-By': 'ASP.NET', 'Server': 'Microsoft-IIS/7.5', 'Cache-Control': 'private', 'Date': 'Mon, 09 Jul 2018 22:52:53 GMT', 'Content-Type': 'text/html; charset=utf-8', 'Persistent-Auth': 'false'}

pfoppe avatar Jul 09 '18 22:07 pfoppe

I can confirm the same situation occurs outside of an SOE endpoint.

Accessing the root of an arcgis server site also poses the same problem.
EX: https://www.example.com/arcgis/rest/services fails but https://www.example.com/arcgis/rest/services?f=json (or f=json in the body) succeeds.

pfoppe avatar Jul 09 '18 22:07 pfoppe