tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Borut Hadžialić <borut.hadzia...@gmail.com>
Subject Re: Windows Authentication: Issue 49318 vs 47679
Date Tue, 29 Mar 2011 19:52:43 GMT
Whoops, i reversed the condition of the if statement, it should be:

//check if the credentials can be delegated
if (context.getCredDelegState()) {
...
}

On Tue, Mar 29, 2011 at 9:47 PM, Borut Hadžialić
<borut.hadzialic@gmail.com> wrote:
> Would adding support for client credential delegation be out of scope
> for this implementation or not?
>
> Client credential delegation is when you use the spnego token
> construct a javax.security.auth.Subject instance that represents the
> client - which the server side application can use this to impersonate
> the client (eg. connect to some Kerberized database as the client that
> sent the request, or consume some other kerberized service as the
> client).
>
> The code for creating such a Subject would be something like this:
>
> GSSContext context =
> GSSManager.getInstance().createContext((GSSCredential) null);
> context.acceptSecContext(...);
>
> //check if the credentials can be delegated
> if (!context.getCredDelegState()) {
>
>  //get the delegated credentials from the calling peer...
>  GSSCredential clientCred = context.getDelegCred();
>
>  //Create a Subject out of the delegated credentials.
>  //With this Subject the application server can impersonate the
> client that sent the request.
>  Subject clientSubject =
> com.sun.security.jgss.GSSUtil.createSubject(context.getSrcName(),
> clientCred);
> }
>
> //Store the clientSubject somewhere - maybe to the HttpServletRequest?
>
> I am sure this would be useful for some applications - for example the
> one that we are currently developing needs functionality like this.
>
> On Tue, Mar 29, 2011 at 9:09 PM, Mark Thomas <markt@apache.org> wrote:
>> On 29/03/2011 15:20, Mark Thomas wrote:
>>> On 28/03/2011 22:31, Stefan Mayr wrote:
>>>> Native SPNEGO in Tomcat sounds great. Waiting a little while depends on
>>>> your scale of "little". Is there already some development we can follow?
>>>> Will this use Java GSS? I never figured out how to configure this with
>>>> Tomcat.
>>>
>>> "little" hopefully means the next week or so in a 7.0.12 release. I have
>>> a handful of things I need/want to get into 7.0.12 and SPNEGO is one of
>>> them.
>>>
>>> Having spent more time than I want to think about and having lost count
>>> of the number of times I re-installed Windows 2k8 server to test this, I
>>> finally got this working a few minutes ago. The current code is *very*
>>> rough and ready and it only does authentication, not authorisation so I
>>> still have some work to do.
>>>
>>> The solution is based on ideas from Spring Security's Kerberos extension
>>> and the most recent patches attached to bug 48685.
>>>
>>> I'll be committing an initial implementation once I have cleaned up the
>>> code a bit and then I'll build on that to add authorisation, more
>>> configuration etc.
>>
>> The first part just got committed [1]. More to follow over the next day
>> or so.
>>
>> Mark
>>
>> [1] http://svn.apache.org/viewvc?rev=1086683&view=rev
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
>
> --
> Why?
> Because YES!
>



-- 
Why?
Because YES!

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message