[security-dev 00723]: Re: Request for comment: How to enable credentials delegation in HTTP Negotiate?

Max (Weijun) Wang Weijun.Wang at Sun.COM
Mon Mar 30 02:48:42 UTC 2009


Ping again, any suggestions?

Thanks
Max

On Nov 25, 2008, at 3:01 PM, Weijun Wang wrote:

> Hi All
>
> The current implementation of HTTP Negotiate authentication has not
> enabled credential delegation (it simply acquires a new one using  
> either
> a cached TGT or username/password from Authenticator). This means that
> in a multi-tier application, a middle tier cannot start an HTTP  
> request
> (to the backend server) on behalf of the client.

Currently, java.net.Authenticator can only authenticate using a  
username/password pair, but cannot use an established credential.

>
> I'm suggesting the following updates:
>
> 1. In java.net.Authenticator, add 2 methods
>
>    protected GSSCredential getGSSCredential() { // To be overrided
>        return null;
>    }
>    public static GSSCredential requestGSSCredential() {
>        Authenticator a = theAuthenticator;
>        if (a == null) {
>            return null;
>        } else {
>            return a.getGSSCredential();
>        }
>    }
>
> 2. In the implementation of the HTTP Negotiate auth scheme
> (sun.net.www.protocol.http.NegotiatorImpl),
>
>    GSSCredential deleg = Authenticator.requestGSSCredential();
>    context = manager.createContext(serverName,
>                                    oid,
>                                    deleg,   // this used to be null
>                                    GSSContext.DEFAULT_LIFETIME);
>
> Then, when an application developer is creating a GSS server that  
> wants
> to start an HTTP request using a delegated credential, she can write:
>
>    // establish the GSSContext
>    final GSSCredential deleg = context.getDelegCred();
>    Authenticator.setDefault(new Authenticator() {
>            @Override
>            protected GSSCredential getGSSCredential() {
>                return deleg;
>            }
>    });
>    new URL("http://somewhere").openConnection().getInputStream();
>
> What's your comment?
>
> Thanks
> Max
>




More information about the security-dev mailing list