[security-dev 00723]: Re: Request for comment: How to enable credentials delegation in HTTP Negotiate?
Max (Weijun) Wang
Weijun.Wang at Sun.COM
Mon Mar 30 02:48:42 UTC 2009
Ping again, any suggestions?
Thanks
Max
On Nov 25, 2008, at 3:01 PM, Weijun Wang wrote:
> Hi All
>
> The current implementation of HTTP Negotiate authentication has not
> enabled credential delegation (it simply acquires a new one using
> either
> a cached TGT or username/password from Authenticator). This means that
> in a multi-tier application, a middle tier cannot start an HTTP
> request
> (to the backend server) on behalf of the client.
Currently, java.net.Authenticator can only authenticate using a
username/password pair, but cannot use an established credential.
>
> I'm suggesting the following updates:
>
> 1. In java.net.Authenticator, add 2 methods
>
> protected GSSCredential getGSSCredential() { // To be overrided
> return null;
> }
> public static GSSCredential requestGSSCredential() {
> Authenticator a = theAuthenticator;
> if (a == null) {
> return null;
> } else {
> return a.getGSSCredential();
> }
> }
>
> 2. In the implementation of the HTTP Negotiate auth scheme
> (sun.net.www.protocol.http.NegotiatorImpl),
>
> GSSCredential deleg = Authenticator.requestGSSCredential();
> context = manager.createContext(serverName,
> oid,
> deleg, // this used to be null
> GSSContext.DEFAULT_LIFETIME);
>
> Then, when an application developer is creating a GSS server that
> wants
> to start an HTTP request using a delegated credential, she can write:
>
> // establish the GSSContext
> final GSSCredential deleg = context.getDelegCred();
> Authenticator.setDefault(new Authenticator() {
> @Override
> protected GSSCredential getGSSCredential() {
> return deleg;
> }
> });
> new URL("http://somewhere").openConnection().getInputStream();
>
> What's your comment?
>
> Thanks
> Max
>
More information about the security-dev
mailing list