[security-dev 00429]: Request for comment: How to enable credentials delegation in HTTP Negotiate?

Weijun Wang Weijun.Wang at Sun.COM
Mon Nov 24 23:01:17 PST 2008

Hi All

The current implementation of HTTP Negotiate authentication has not
enabled credential delegation (it simply acquires a new one using either
a cached TGT or username/password from Authenticator). This means that
in a multi-tier application, a middle tier cannot start an HTTP request
(to the backend server) on behalf of the client.

I'm suggesting the following updates:

1. In java.net.Authenticator, add 2 methods

    protected GSSCredential getGSSCredential() {
        return null;
    public static GSSCredential requestGSSCredential() {
        Authenticator a = theAuthenticator;
        if (a == null) {
            return null;
        } else {
            return a.getGSSCredential();

2. In the implementation of the HTTP Negotiate auth scheme

    GSSCredential deleg = Authenticator.requestGSSCredential();
    context = manager.createContext(serverName,
                                    deleg,   // this used to be null

Then, when an application developer is creating a GSS server that wants
to start an HTTP request using a delegated credential, she can write:

    // establish the GSSContext
    final GSSCredential deleg = context.getDelegCred();
    Authenticator.setDefault(new Authenticator() {
            protected GSSCredential getGSSCredential() {
                return deleg;
    new URL("http://somewhere").openConnection().getInputStream();

What's your comment?


More information about the security-dev mailing list