manifoldcf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karl Wright (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CONNECTORS-1103) Add Kerberos support for all connectors that currently use NTLM
Date Fri, 14 Nov 2014 19:38:34 GMT

    [ https://issues.apache.org/jira/browse/CONNECTORS-1103?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14212715#comment-14212715
] 

Karl Wright commented on CONNECTORS-1103:
-----------------------------------------

> Is this something you'd be working on?

Yes, the default will remain implicit GSSCredential, alternative will be to pass the GSSCrdential
which can be obtained by LoginContext or even be a delegated credential from an HTTP request.

> If not, can you point me at an email trail or something describing how 
> to work around this in HttpClient?

You can try the following while the solution above is not available yet:

LoginContext lc = new LoginContext("login-entry-name"); lc.login();

YourReturnObject instance;

instance = Subject.doAs(lc.getSubject(),
   new PrivilegedExceptionAction<YourReturnObject>() {

     public YourReturnObject run() throws SomeException {

       // Perform HTTPClient operations

       return yourReturnObjectInstance;
     }
   };

Done. Have a look at these sources [1], [2] I wrote, it does exactly what you need. Adapt
that pattern.

JGSS will by default use the GSSCredential scoped in the subject provided by lc.

[1]
http://dirctxsrc.sourceforge.net/xref/net/sf/michaelo/dirctxsrc/DirContextSource.html#L510
[2]
http://tomcatspnegoad.sourceforge.net/xref/net/sf/michaelo/tomcat/authenticator/CurrentWindowsIdentityAuthenticator.html#L93



> Add Kerberos support for all connectors that currently use NTLM
> ---------------------------------------------------------------
>
>                 Key: CONNECTORS-1103
>                 URL: https://issues.apache.org/jira/browse/CONNECTORS-1103
>             Project: ManifoldCF
>          Issue Type: Improvement
>          Components: FileNet connector, LiveLink connector, RSS connector, SharePoint
connector, Web connector
>    Affects Versions: ManifoldCF 1.7.2
>            Reporter: Karl Wright
>            Assignee: Karl Wright
>             Fix For: ManifoldCF 1.8, ManifoldCF 2.0
>
>
> You can solve your local ticket store by using LoginContext and appropriate keytabs.
Obtain the GSSCredential and go. Every connection instance can act independently. Regardless
of the OS.
> If you cache the subject issued by the aforementioned LoginContext, you can always say:
GssCredential#getRemainingLifetime or invoke a fresh LoginContext as you think fit.
> Unfortunately, HTTPClient does not support direct use of GSSCredential and always assumes
implicit credential. Fortunately, there are several ways to solve that problem too.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message