New /alfresco/cmisatom binding does not allow HTTP Basic when using Kerberos authentication in the chain.
How to reproduce?
1) create a plain vanilla 4.1.6 (linux pg tomcat)
2) confirm you can get
curl -v http://admin:admin@madona:8080/alfresco/cmisatom/
(that is you can get HTTP Basic auth on that API)
3) create a new 4.1.6 system, but this time with kerberos authentication
4) confirm kerberos SSO works in explorer
5) try to call the same API as in 2) with a valid username and password
Negociate header sent.
If the server detects there is a Authorization Basic header then it should use it. See notes for why it should.
1) before we had two API end points
a) /alfresco/service/cmis and
when using a) we always had HTTP Basics, so cmis clients could use that path in their configuration
Now we have just one. So we either need to make that unique endpoint more clever or create a 2nd one.
2) we should treat this as a bug. Indeed, client side code try to be clever, including our own android code, see case 147835.
When the client understands it needs to negociate kerberos (something that it can't do, as it can only do HTTP Basic) then it switches to the unsupported cmis URL (to be deprecated). see attached screen shot that proves the difference in the calls made by the android client with and without kerberos.