[security-dev 00121]: Re: hg: jdk7/jsn/jdk: 6670362: HTTP/SPNEGO should work across realms

Weijun Max Wang Weijun.Wang at Sun.COM
Thu Mar 20 01:37:47 PDT 2008

Hi Asaf

Thanks for watching the list. :)

Basically I want to encode "HTTP on host.server.com" into a service
principal like "HTTP/host.server.com at SERVER.COM".

By changing the nameType to GSSName.NT_HOSTBASED_SERVICE, it means the
underlying Kerberos principal should be of the NT-SRV-HST type.
According to the RFC 1964[1], its form should be service at hostname.

Without this change, "HTTP/host.server.com" has no type info. If you're
accessing the service from a machine on the CLIENT.COM realm, the
service principal is encoded into "HTTP/host.server.COM at CLIENT.COM"
only. With this change, Java will try to find out the realm this service
actually belongs to and create the correct principal name.

One way to provide this info is to add these lines into your krb5.conf:

   .client.com = CLIENT.COM
   .server.com = SERVER.COM


[1] http://tools.ietf.org/html/rfc1964#section-2.1.2

Asaf Mesika wrote:
> I'm sorry, but I don't understand why you've changed the / to @ in the
> principal name ?
> And how should this help being cross realmed?
> On Thu, Mar 20, 2008 at 5:58 AM, <weijun.wang at sun.com
> <mailto:weijun.wang at sun.com>> wrote:
>     Changeset: a8d6215fa863
>     Author:    weijun
>     Date:      2008-03-20 11:57 +0800
>     URL:       http://hg.openjdk.java.net/jdk7/jsn/jdk/rev/a8d6215fa863
>     6670362: HTTP/SPNEGO should work across realms
>     Reviewed-by: valeriep
>     ! src/share/classes/sun/net/www/protocol/http/NegotiatorImpl.java

More information about the security-dev mailing list