[security-dev 00429]: Request for comment: How to enable credentials delegation in HTTP Negotiate?

Weijun Wang Weijun.Wang at Sun.COM
Mon Nov 24 23:01:17 PST 2008


Hi All

The current implementation of HTTP Negotiate authentication has not
enabled credential delegation (it simply acquires a new one using either
a cached TGT or username/password from Authenticator). This means that
in a multi-tier application, a middle tier cannot start an HTTP request
(to the backend server) on behalf of the client.

I'm suggesting the following updates:

1. In java.net.Authenticator, add 2 methods

    protected GSSCredential getGSSCredential() {
        return null;
    }
    public static GSSCredential requestGSSCredential() {
        Authenticator a = theAuthenticator;
        if (a == null) {
            return null;
        } else {
            return a.getGSSCredential();
        }
    }

2. In the implementation of the HTTP Negotiate auth scheme
(sun.net.www.protocol.http.NegotiatorImpl),

    GSSCredential deleg = Authenticator.requestGSSCredential();
    context = manager.createContext(serverName,
                                    oid,
                                    deleg,   // this used to be null
                                    GSSContext.DEFAULT_LIFETIME);

Then, when an application developer is creating a GSS server that wants
to start an HTTP request using a delegated credential, she can write:

    // establish the GSSContext
    final GSSCredential deleg = context.getDelegCred();
    Authenticator.setDefault(new Authenticator() {
            @Override
            protected GSSCredential getGSSCredential() {
                return deleg;
            }
    });
    new URL("http://somewhere").openConnection().getInputStream();

What's your comment?

Thanks
Max




More information about the security-dev mailing list