directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@apache.org>
Subject Re: [Kerberos] Kerberos + Wicket, part 2
Date Sat, 09 Jun 2007 07:13:12 GMT
Enrique Rodriguez a écrit :

> Hi, Directory developers,
>
> I committed an example Wicket web app to my personal sandbox [1].  I
> put it in my sandbox because it now requires JDK 1.6 to work.  This
> example app used to work with Firefox, but it appears Firefox behavior
> has changed in such a way that JDK 1.5 no longer works.  I pinged some
> colleagues and I'm still researching if there is a work-around.

oh...

>
> Firefox used to send a "GSSAPI/Kerberos v5 OID" and at some point in
> the last 6 months it started sending a "SPNEGO OID."  The problem is
> that Java 1.5 only supports "GSSAPI/Kerberos v5" and so you get an
> exception from jGSS when the SPNEGO OID shows up.  However, with Java
> 1.6 "SPNEGO" is handled properly.  This causes a compatibility issue
> for us since as a project we are on 1.5 hence the commit to my
> sandbox.  I'm still trying to determine whether there is a way to
> configure which OID (mechanism) Firefox uses in the response.

from what I have seen on web lately, I'm not sure. May be by browsing FF 
code source ?

>
> Firefox used to send 1.2.840.113554.1.2.2 (GSSAPI/Kerberos v5).
> Firefox now sends 1.3.6.1.5.5.2 (SPNEGO), along with Kerberos as a
> negotiable mechanism.  This is beneficial behavior for MS
> compatibility, just not for JDK compatiblity.
>
> - 1.2.840.113554.1.2.2  Kerberos v5 (MIT)
> - 1.3.5.1.5.2         Kerberos v5  (mechanism)
> - 1.2.840.48018.1.2.2 Kerberos v5 (MS)
>
> I see this behavior with Firefox 1.5.0.12 and 2.0.0.1.

Ok. Just a question, not sure is it relevant : if we have our own SPNEGO 
codec, would it help ? (because we have this codec somewhere, but sandboxed)

>
> Other than that, if you run the example web app with JDK 1.6 it works
> great.  I added the minimum of web pages around it to show how you
> could authenticate a session.  

Ok, this is just fine !

> Also, criticism of my Wicket skillz is
> welcome; I'm a bit new to it.

Np, this is just a demo/test apps. As soon as it works ... I bet we 
would like to create a more serious demonstrator some time, but I don't 
know how we can set it up on directory.a.o.

>
> Enrique
>
> [1]  
> http://svn.apache.org/repos/asf/directory/sandbox/erodriguez/kerberos-spnego/ 
>
>


Mime
View raw message