This repository has been archived by the owner on Aug 14, 2021. It is now read-only.
Allow use of platform gss for kerberos authentication #13
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 9 commits
December 15, 2017 15:52
Added an example for usage.
Added asserts on request and response being initialized Removed commented lines Added logging on non-graceful disposing of context
Add assertion on token being available.
|
Please let me know if there is anything that I can do to help to move this forward. Thanks! |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi guys,
This seems like the most up-to-date source from jcifs that has kerberos support. Thanks for the work in understanding and implementing the negotiation!
I was trying to use the platform GSS integration (as described in "Native platform GSS integration" at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-features.html), and noticed that the code in
jcifs.smb.Kerb5Authenticator#sessionSetupassumes the use of only JAAS.As per the JGSS documentation, when the
sun.security.jgss.nativesystem property is set to true, the platform GSS implementation should be used for GSSCredential fetch and JAAS configuration files are not necessary. We can have the platform provide the GSS Credential when callingorg.ietf.jgss.GSSManager#createContext(org.ietf.jgss.GSSName, org.ietf.jgss.Oid, org.ietf.jgss.GSSCredential, int)with the GSSCredential asnull- similar to what is done in jcifs.smb.Kerb5Authenticator#createContextIn this PR, have created a new
Kerb5PlatformGssAuthenticator(which is completely inspired by the flow in jcifs.smb.Kerb5Authenticator) that doesn't have any notion ofjavax.security.auth.Subject(because it is handled by the platform (or host) implementation). The best way to see it in action isexamples/KerberosPlatformGSSAuthExample(again inspired fromexamples/KerberosAuthExample).There are a few other mvn related cleanup that you can see if you deem fit.
Please let me know if there are any questions.
Thanks!