I'm fairly unfamiliar with this feature but would recommend against using it - you lose integrity checks and the cost for encryption is fairly minimal (it's in-hardware these days).

Could you post the output of curl with the -v option? That should dump the headers to stderr and illuminate the situation. Particularly, your redirected URL should contain a xrdhttptk. You can redact the secrets in the output - I'm just looking for the presence of headers.

Also to verify - modern versions of curl are supposed to drop the Authorization header on redirect for obvious security reasons.

Finally:

since here was no cert, no "opaque" token was generated

The opaque token is not generated from the certificate but rather from the XrdSecEntity object. The code appears to do some questionable items such as dump the credentials unencrypted into the URL. I don't understand that but it was done in 581b26b by @ffurano so he might have some insight.

Brian

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1251#issuecomment-658191232", "url": "https://github.com/xrootd/xrootd/issues/1251#issuecomment-658191232", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1