Max,
One question. Would this mechanism work for any possible GSS security
mechanism?
In other words, is all the information you need encapsulated inside a single
GSSCredential object?
Also, java.net.Authenticator was designed very much for the original
HTTP authentication
schemes (Basic and Digest) which is why it has all these methods for getting
the hostname, port, domain "prompt" string etc and NTLM more or less
fits in with
this API as well.
So, this is a different way of doing it, where a pre-established
credential is used
instead of a user being prompted to provide a username and password based
on the parameters supplied by the protocol.
At the very least, there would have to be a way to distinguish between
these two
modes of operation. But I am wondering if a separate class might be more
appropriate
(GSSAuthenticator). So, HttpURLConnection could check if a
GSSAuthenticator exists
then it would probe that object for the credential. otherwise it would
fall back to
the existing approach
One problem with extending Authenticator is that the plugin has a fixed
Authenticator
implementation, that only handles usernames and passwords, and it might not
want to use this new mechanism.
- Michael
Max (Weijun) Wang wrote:
Ping again, any suggestions?
Thanks
Max
On Nov 25, 2008, at 3:01 PM, Weijun Wang wrote:
Hi All
The current implementation of HTTP Negotiate authentication has not
enabled credential delegation (it simply acquires a new one using either
a cached TGT or username/password from Authenticator). This means that
in a multi-tier application, a middle tier cannot start an HTTP request
(to the backend server) on behalf of the client.
Currently, java.net.Authenticator can only authenticate using a
username/password pair, but cannot use an established credential.
I'm suggesting the following updates:
1. In java.net.Authenticator, add 2 methods
protected GSSCredential getGSSCredential() { // To be overrided
return null;
}
public static GSSCredential requestGSSCredential() {
Authenticator a = theAuthenticator;
if (a == null) {
return null;
} else {
return a.getGSSCredential();
}
}
2. In the implementation of the HTTP Negotiate auth scheme
(sun.net.www.protocol.http.NegotiatorImpl),
GSSCredential deleg = Authenticator.requestGSSCredential();
context = manager.createContext(serverName,
oid,
deleg, // this used to be null
GSSContext.DEFAULT_LIFETIME);
Then, when an application developer is creating a GSS server that wants
to start an HTTP request using a delegated credential, she can write:
// establish the GSSContext
final GSSCredential deleg = context.getDelegCred();
Authenticator.setDefault(new Authenticator() {
@Override
protected GSSCredential getGSSCredential() {
return deleg;
}
});
new URL("http://somewhere";).openConnection().getInputStream();
What's your comment?
Thanks
Max
