United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6549811 add support for delegation in HTTP/SPNEGO
JDK-6549811 : add support for delegation in HTTP/SPNEGO

Details
Type:
Bug
Submit Date:
2007-04-24
Status:
Closed
Updated Date:
2011-05-18
Project Name:
JDK
Resolved Date:
2011-05-18
Component:
core-libs
OS:
generic
Sub-Component:
java.net
CPU:
generic
Priority:
P3
Resolution:
Fixed
Affected Versions:
6
Fixed Versions:

Related Reports
Backport:

Sub Tasks

Description
Support for HTTP/SPNEGO is available starting from Java SE 6.

However, currrently Java implementation of HTTP negotiate does not support "delegation".
The GSS context flag for delegation needs to be enabled based on configuration.

Mozilla/Firefox support following configuration parameters via about:config 
to enable delegation:
- network.negotiate-auth.delegation-uris
- network.negotiate-auth.trusted-uris

1. network.negotiate-auth.trusted-uris
   URIs to attempt GSSAPI Negotiate authentication with. Set this to a comma-separated list of sites to automatically authenticate to, for example https://, sun.com will enable Negotiate authentication for all secure servers and all sites in the sun.com domain.

2. network.negotiate-auth.delegation-uris
    URIs to delegate credentials to. Same syntax as above.

IE uses the OK_TO_DELEGATE Kerberos service ticket flag to enable delegation.

In Active Directory, the SPN needs to be enabled with OK-TO-DELEGATE flag. However all Kerberos implementations do not support this flag. Hence, this flag should be checked only if available.

                                    

Comments
EVALUATION

Add requestCredDeleg(true) in the NegotiatorImpl class before initSecContext, and check the existense of OK-AS-DELEGATE flag, enable delegation only when the flag is set.

Note: the check is in InitialToken.java and only performed when the caller is CALLER_HTTP_NEGOTIATE (since that's the only place we have always added requestCredDeleg(true) ), therefore, no other callers are affected.
                                     
2007-07-03



Hardware and Software, Engineered to Work Together