[jcifs] Kerberos over HTTP

Eric eglass1 at attbi.com
Mon Jan 20 23:51:06 EST 2003

Christopher R. Hertel wrote:
 > I assume folks are aware of this draft:
 > http://meta.cesnet.cz/software/heimdal/draft-brezak-spnego-http-04.txt
 > Would be interesting to extend the jCIFS tools to do Kerberos.  ;)

I actually looked at this awhile back; Java 1.4 provides the GSSAPI
framework in the org.ietf.jgss package.  The authentication protocol
presented in the draft, if I remember correctly, simply encodes the 
token generated by GSSContext.initSecContext() in Base64 and sends that 
to the client; the client produces a reply in similar form, and the 
server Base64-decodes that and applies it as the argument to 
GSSContext.acceptSecContext().  This sequence continues until 
GSSContext.isEstablished() returns true (in which case the session has 
been established).

The big stumbling block (for me anyways) is that I couldn't find a 
readily available implementation of the SPNEGO mechanism used by the 
protocol (GSSAPI is essentially a generic challenge-response framework 
for authentication); Java ships with a Kerberos implementation, but 
SPNEGO essentially provides a mechanism for negotiation between client 
and server of an underlying mechanism.  While it turns out that Kerberos 
is the underlying mechanism supported by thid HTTP authentication 
protocol, it still needs to be "negotiated" via SPNEGO.

SPNEGO is documented in RFC 2478, if anyone wants to take a crack at 
implementing a GSSAPI provider for this mechanism; development of a 
Servlet filter wrapping the necessary GSSAPI calls would be fairly easy 
given that.


More information about the jcifs mailing list