JDK-6549811 : add support for delegation in HTTP/SPNEGO
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 6
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2007-04-24
  • Updated: 2011-05-18
  • Resolved: 2011-05-18
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
6u4Fixed 7 b17Fixed
Support for HTTP/SPNEGO is available starting from Java SE 6.

However, currrently Java implementation of HTTP negotiate does not support "delegation".
The GSS context flag for delegation needs to be enabled based on configuration.

Mozilla/Firefox support following configuration parameters via about:config 
to enable delegation:
- network.negotiate-auth.delegation-uris
- network.negotiate-auth.trusted-uris

1. network.negotiate-auth.trusted-uris
   URIs to attempt GSSAPI Negotiate authentication with. Set this to a comma-separated list of sites to automatically authenticate to, for example https://, sun.com will enable Negotiate authentication for all secure servers and all sites in the sun.com domain.

2. network.negotiate-auth.delegation-uris
    URIs to delegate credentials to. Same syntax as above.

IE uses the OK_TO_DELEGATE Kerberos service ticket flag to enable delegation.

In Active Directory, the SPN needs to be enabled with OK-TO-DELEGATE flag. However all Kerberos implementations do not support this flag. Hence, this flag should be checked only if available.

EVALUATION Add requestCredDeleg(true) in the NegotiatorImpl class before initSecContext, and check the existense of OK-AS-DELEGATE flag, enable delegation only when the flag is set. Note: the check is in InitialToken.java and only performed when the caller is CALLER_HTTP_NEGOTIATE (since that's the only place we have always added requestCredDeleg(true) ), therefore, no other callers are affected.