Avoid requesting client proxy cert if not needed

[cal-jlab]

Hi there! I encountered an issue that was preventing me from using xrootd4j as a load-balancer for delegated third-party copies when using GSI authentication. Specifically, the class GSIPost49ServerRequestHandler always requests a proxy certificate from the client if the client is capable of creating one, even if the server has no need for it. Rather than implement the whole X509ProxyDelegationClient interface (and the requisite underpinnings) for no real purpose, I simply disabled the request in a forked copy of xrootd4j. I would offer to contribute some changes to this logic, but it's not clear what would be the correct way to modify the code to make the proxy request optional, as opposed to simply disabling that bit of code.

[kofemann]

@cal-jlab somehow I miss my earlier comment here...anyway

accorgin GSI standard, the delegation should be requested by client. In case of xroot, this is triggerd by client sending kXGC_certreq. Do you observe different behavior?

[cal-jlab]

This is the code I'm talking about. The server always sends the signing request to the client if the client supports it, even if the server has no need for it. This happens in response to kXGC_cert, not kXGC_certreq.

xrootd4j/xrootd4j-gsi/src/main/java/org/dcache/xrootd/plugins/authn/gsi/post49/GSIPost49ServerRequestHandler.java

Lines 178 to 183 in 6bfd013

	/**
	* Only send a sign request to the client if the client supports it.
	*/
	if (clientCanSignRequest) {
	return getSigPxyResponse(certChain, request, mainBucket);
	}