directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrique Rodriguez" <>
Subject [Kerberos] Kerberos + Wicket, part 2
Date Sat, 09 Jun 2007 03:37:37 GMT
Hi, Directory developers,

I committed an example Wicket web app to my personal sandbox [1].  I
put it in my sandbox because it now requires JDK 1.6 to work.  This
example app used to work with Firefox, but it appears Firefox behavior
has changed in such a way that JDK 1.5 no longer works.  I pinged some
colleagues and I'm still researching if there is a work-around.

Firefox used to send a "GSSAPI/Kerberos v5 OID" and at some point in
the last 6 months it started sending a "SPNEGO OID."  The problem is
that Java 1.5 only supports "GSSAPI/Kerberos v5" and so you get an
exception from jGSS when the SPNEGO OID shows up.  However, with Java
1.6 "SPNEGO" is handled properly.  This causes a compatibility issue
for us since as a project we are on 1.5 hence the commit to my
sandbox.  I'm still trying to determine whether there is a way to
configure which OID (mechanism) Firefox uses in the response.

Firefox used to send 1.2.840.113554.1.2.2 (GSSAPI/Kerberos v5).
Firefox now sends (SPNEGO), along with Kerberos as a
negotiable mechanism.  This is beneficial behavior for MS
compatibility, just not for JDK compatiblity.

- 1.2.840.113554.1.2.2  Kerberos v5 (MIT)
-         Kerberos v5  (mechanism)
- 1.2.840.48018.1.2.2 Kerberos v5 (MS)

I see this behavior with Firefox and

Other than that, if you run the example web app with JDK 1.6 it works
great.  I added the minimum of web pages around it to show how you
could authenticate a session.  Also, criticism of my Wicket skillz is
welcome; I'm a bit new to it.



View raw message