[
https://issues.apache.org/jira/browse/NIFI-1274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15196730#comment-15196730
]
Andy LoPresto commented on NIFI-1274:
-------------------------------------
[~mcgilman] and I changed the way the Kerberos ticket was sent from the client
to the server; instead of being sent on every request, it is now treated the
same way LDAP authentication is -- the initial credentials are sent to a
specific endpoint, validated, and exchanged for a JWT that is used on all
subsequent requests. This reduces browser, network, and server overhead and
means that the request flow for all but the initial request is identical across
varying authentication mechanisms.
Known issues: Firefox does not support SSO with SPNEGO even with custom config;
Safari is fine out of the box and Chrome works with command line flags.
Cleaning up, adding documentation, and possibly integration tests if I can get
MiniKdc to cooperate. PR by EOD 03/16/16.
More resources that have been helpful:
* [Using GSSManager to validate a Kerberos
ticket](http://stackoverflow.com/questions/25289231/using-gssmanager-to-validate-a-kerberos-ticket)
* [MiniKdc
Javadoc](http://docs.spring.io/spring-security-kerberos/docs/current/api/org/springframework/security/kerberos/test/MiniKdc.html)
* [Kerberos Authentication Using
Java](https://www.doc.ic.ac.uk/csg-old/java/servlets/kerbjava.html)
* [Kerberos RFC 4120](http://www.ietf.org/rfc/rfc4120.txt)
* [Kerberos Replay
Mechanism](https://sourceforge.net/p/spnego/feature-requests/3/)
> Kerberos based authentication
> -----------------------------
>
> Key: NIFI-1274
> URL: https://issues.apache.org/jira/browse/NIFI-1274
> Project: Apache NiFi
> Issue Type: New Feature
> Components: Extensions
> Reporter: Matt Gilman
> Assignee: Andy LoPresto
> Labels: authentication, security
> Fix For: 0.6.0
>
>
> Add support for Kerberos based authentication.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
