[jcifs] Kerberos over HTTP
Eric
eglass1 at attbi.com
Mon Jan 20 23:51:06 EST 2003
Christopher R. Hertel wrote:
> I assume folks are aware of this draft:
>
> http://meta.cesnet.cz/software/heimdal/draft-brezak-spnego-http-04.txt
>
> Would be interesting to extend the jCIFS tools to do Kerberos. ;)
>
I actually looked at this awhile back; Java 1.4 provides the GSSAPI
framework in the org.ietf.jgss package. The authentication protocol
presented in the draft, if I remember correctly, simply encodes the
token generated by GSSContext.initSecContext() in Base64 and sends that
to the client; the client produces a reply in similar form, and the
server Base64-decodes that and applies it as the argument to
GSSContext.acceptSecContext(). This sequence continues until
GSSContext.isEstablished() returns true (in which case the session has
been established).
The big stumbling block (for me anyways) is that I couldn't find a
readily available implementation of the SPNEGO mechanism used by the
protocol (GSSAPI is essentially a generic challenge-response framework
for authentication); Java ships with a Kerberos implementation, but
SPNEGO essentially provides a mechanism for negotiation between client
and server of an underlying mechanism. While it turns out that Kerberos
is the underlying mechanism supported by thid HTTP authentication
protocol, it still needs to be "negotiated" via SPNEGO.
SPNEGO is documented in RFC 2478, if anyone wants to take a crack at
implementing a GSSAPI provider for this mechanism; development of a
Servlet filter wrapping the necessary GSSAPI calls would be fairly easy
given that.
Eric
More information about the jcifs
mailing list