tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <devli...@hanik.com>
Subject SpnegoAuthenticator feedback
Date Wed, 20 Apr 2011 20:00:12 GMT
Here are some thoughts on the implementation

1. |com.sun.security.jgss.initiate is not needed
This definition is not needed in jaas.conf. Tomcat is not a client in this case, it's a server
accepting tickets.
the .initiate is only for clients that request a Kerberos ticket from the KDC.
The example works fine removing this entry all together.


2. com.sun.security.jgss.krb5.accept is not configurable
While the authenticator has the attribute loginConfigName, there seems to be a place in the
code where it omits this entry.
renaming this entry in jaas.conf and setting the loginConfigName will fail to validate a ticket

The problem code is here:

             gssContext = manager.createContext(manager.createCredential(null,
                     GSSCredential.DEFAULT_LIFETIME,
                     new Oid("1.3.6.1.5.5.2"),
                     GSSCredential.ACCEPT_ONLY));

should look like
             final GSSManager manager = GSSManager.getInstance();
             final PrivilegedExceptionAction<GSSCredential> action =
                 new PrivilegedExceptionAction<GSSCredential>() {
                     public GSSCredential run() throws GSSException {
                         return manager.createCredential(null,
                                 GSSCredential.DEFAULT_LIFETIME,
                                 new Oid("1.3.6.1.5.5.2"),
                                 GSSCredential.ACCEPT_ONLY);
                     }
                 };
             gssContext = manager.createContext(Subject.doAs(lc.getSubject(), action));||


best
Filip
|

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message