Re: SpnegoAuthenticator feedback

Thu, 21 Apr 2011 02:10:46 -0700 

On 20/04/2011 21:00, Filip Hanik - Dev Lists wrote:
> Here are some thoughts on the implementation

Thanks for the feedback.

> 1. |com.sun.security.jgss.initiate is not needed
> This definition is not needed in jaas.conf. Tomcat is not a client in
> this case, it's a server accepting tickets.
> the .initiate is only for clients that request a Kerberos ticket from
> the KDC.
> The example works fine removing this entry all together.

I think this will be required when we add support for using the server's
delegated credentials to connect to the directory to retrieve user
roles. I'll check this when I implement it and will remove it if I can.

> 2. com.sun.security.jgss.krb5.accept is not configurable
> While the authenticator has the attribute loginConfigName, there seems
> to be a place in the code where it omits this entry.
> renaming this entry in jaas.conf and setting the loginConfigName will
> fail to validate a ticket

Thanks. I'll add a BZ entry for this. I should be able to get to in in
time for 7.0.13 (unless someone beats me to it).

Mark

> 
> The problem code is here:
> 
>             gssContext =
> manager.createContext(manager.createCredential(null,
>                     GSSCredential.DEFAULT_LIFETIME,
>                     new Oid("1.3.6.1.5.5.2"),
>                     GSSCredential.ACCEPT_ONLY));
> 
> should look like
>             final GSSManager manager = GSSManager.getInstance();
>             final PrivilegedExceptionAction<GSSCredential> action =
>                 new PrivilegedExceptionAction<GSSCredential>() {
>                     public GSSCredential run() throws GSSException {
>                         return manager.createCredential(null,
>                                 GSSCredential.DEFAULT_LIFETIME,
>                                 new Oid("1.3.6.1.5.5.2"),
>                                 GSSCredential.ACCEPT_ONLY);
>                     }
>                 };
>             gssContext =
> manager.createContext(Subject.doAs(lc.getSubject(), action));||
> 
> 
> best
> Filip
> |
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
> 




---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to