manifoldcf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karl Wright (JIRA)" <>
Subject [jira] [Commented] (CONNECTORS-1103) Add Kerberos support for all connectors that currently use NTLM
Date Fri, 14 Nov 2014 19:38:34 GMT


Karl Wright commented on CONNECTORS-1103:

> Is this something you'd be working on?

Yes, the default will remain implicit GSSCredential, alternative will be to pass the GSSCrdential
which can be obtained by LoginContext or even be a delegated credential from an HTTP request.

> If not, can you point me at an email trail or something describing how 
> to work around this in HttpClient?

You can try the following while the solution above is not available yet:

LoginContext lc = new LoginContext("login-entry-name"); lc.login();

YourReturnObject instance;

instance = Subject.doAs(lc.getSubject(),
   new PrivilegedExceptionAction<YourReturnObject>() {

     public YourReturnObject run() throws SomeException {

       // Perform HTTPClient operations

       return yourReturnObjectInstance;

Done. Have a look at these sources [1], [2] I wrote, it does exactly what you need. Adapt
that pattern.

JGSS will by default use the GSSCredential scoped in the subject provided by lc.


> Add Kerberos support for all connectors that currently use NTLM
> ---------------------------------------------------------------
>                 Key: CONNECTORS-1103
>                 URL:
>             Project: ManifoldCF
>          Issue Type: Improvement
>          Components: FileNet connector, LiveLink connector, RSS connector, SharePoint
connector, Web connector
>    Affects Versions: ManifoldCF 1.7.2
>            Reporter: Karl Wright
>            Assignee: Karl Wright
>             Fix For: ManifoldCF 1.8, ManifoldCF 2.0
> You can solve your local ticket store by using LoginContext and appropriate keytabs.
Obtain the GSSCredential and go. Every connection instance can act independently. Regardless
of the OS.
> If you cache the subject issued by the aforementioned LoginContext, you can always say:
GssCredential#getRemainingLifetime or invoke a fresh LoginContext as you think fit.
> Unfortunately, HTTPClient does not support direct use of GSSCredential and always assumes
implicit credential. Fortunately, there are several ways to solve that problem too.

This message was sent by Atlassian JIRA

View raw message