JDK-6578544 : There is no possibility to set Kerberos Auth properties for each URLConnection
  • Type: Enhancement
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 6
  • Priority: P5
  • Status: Closed
  • Resolution: Not an Issue
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2007-07-10
  • Updated: 2012-01-11
  • Resolved: 2012-01-11
Related Reports
Relates :  
JDK-6578647 - Undefined requesting URL in "java.net.Authenticator.getPasswordAuthentication()"
Description
A DESCRIPTION OF THE REQUEST :
 At current point we can specify "realm" and "kdc" property for Kerberos authentication using system properties:
"java.security.krb5.realm" and "java.security.krb5.kdc"(or "java.security.krb5.conf").
But there is no possibility to set "realm" and "kdc" for each URLConnection separately.

JUSTIFICATION :
In complex applications, it is impossible to use Kerberos authentication in separate  third party plugins(which can authenticate via Kerberos) because we cannot specify different realms and KDC for different connections.
There is the same problem with "java.security.krb5.conf" system property - third party plugin can rewrite this property with its own value.  So we should have possibility to define "kdc" and "realm" for each "URLConnection" connection. For example you can add new method to URLConnection:
connection.setRealmAndKdc(String realm, String kdc)
Comments
EVALUATION In order to use different Kerberos credentials for different connections, please use JAAS Krb5LoginModule to put different credentials into different subjects, and use these subjects to call further actions with doAs().
11-01-2012
EVALUATION Normally, in order to a access Kerberized server located in another realm, client does not need to switch its default realm/KDC setting to the other realm. Instead, it's the sysadmin who configures some kind of inter-realm authentication so that the client can access it using the orginal credentials.
17-08-2007
EVALUATION The HTTP/SPNEGO HttpURLConnection support uses the underlying JGSS/krb5 library to provide Negotiate authentication. The library does not support multiple Kerberos realms at the same time. This is the common approach selected by all known Kerberos 5 implementations since the whole mechanism is mainly used for single sign-on purposes.
31-07-2007