JDK-6828730 : HTTP/Negotiate does not remember the TGT
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 7
  • Priority: P4
  • Status: Closed
  • Resolution: Not an Issue
  • OS: generic
  • CPU: generic
  • Submitted: 2009-04-10
  • Updated: 2010-11-04
  • Resolved: 2010-06-30
Related Reports
Relates :  
JDK-6965382 - enhance HTTP/SPNEGO test to work with JAAS
Relates :  
JDK-6578647 - Undefined requesting URL in "java.net.Authenticator.getPasswordAuthentication()"
Description
If multiple web pages from the same server all ask for "WWW-Authenticate: Negotiate", or, when trying to visit different HTTP servers in the same Kerberos realm in a single Java program, each "WWW-Authenticate: Negotiate" triggers a head-to-tail Kerberos communication, from acquiring TGT, acquiring service ticket to the final authentication. If the TGT is aquired not from a cache but through a username/password pair from Authenticator, the pair will be prompted for multiple times.

This is because the simple JGSS calls does not remember any tickets, and the HTTP/Negotiate impl does not use the JAAS Subject-based style.

An ideal approach may look like this: acquire TGT only once, and only acquire a new service ticket when visiting another HTTP server. Or, even further, users can acquire multiple TGTs for different realms (when there's no inter-realm trusts among them), but this may be beyond the current capability of Authenticator.

On the other hand, some people might use different account (in the same realm) to visit different servers, or even different URLs on the same server. If so, they would regard the current implementation a feature, but not a bug. If so, 6578647 should be fixed to fill the trigger URL info into Authenticator.

The best way to deal with this is that if the application is aware of who can visit where, it can call JAAS at app level first and call HTTP/Negotiate in Subject.doAs() blocks.

This bug report is for memo use only at the moment.
Comments
EVALUATION Closed as NOT-A-DEFECT. Keep current behavior so that user has a chance to provide different username/password pairs for webpages from different realm, same realm, or same server. If user wants to use the same credentials for multiple web pages, use JAAS to login first, and use the subject from commit() to doAs() further URL connections. A new RFE (6965382) created to enhance test to demonstrate these 2 coding styles
30-06-2010