[security-dev 00429]: Request for comment: How to enable credentials delegation in HTTP Negotiate?
Weijun Wang
Weijun.Wang at Sun.COM
Tue Nov 25 07:01:17 UTC 2008
Hi All
The current implementation of HTTP Negotiate authentication has not
enabled credential delegation (it simply acquires a new one using either
a cached TGT or username/password from Authenticator). This means that
in a multi-tier application, a middle tier cannot start an HTTP request
(to the backend server) on behalf of the client.
I'm suggesting the following updates:
1. In java.net.Authenticator, add 2 methods
protected GSSCredential getGSSCredential() {
return null;
}
public static GSSCredential requestGSSCredential() {
Authenticator a = theAuthenticator;
if (a == null) {
return null;
} else {
return a.getGSSCredential();
}
}
2. In the implementation of the HTTP Negotiate auth scheme
(sun.net.www.protocol.http.NegotiatorImpl),
GSSCredential deleg = Authenticator.requestGSSCredential();
context = manager.createContext(serverName,
oid,
deleg, // this used to be null
GSSContext.DEFAULT_LIFETIME);
Then, when an application developer is creating a GSS server that wants
to start an HTTP request using a delegated credential, she can write:
// establish the GSSContext
final GSSCredential deleg = context.getDelegCred();
Authenticator.setDefault(new Authenticator() {
@Override
protected GSSCredential getGSSCredential() {
return deleg;
}
});
new URL("http://somewhere").openConnection().getInputStream();
What's your comment?
Thanks
Max
More information about the security-dev
mailing list