[
https://issues.apache.org/jira/browse/HTTPCLIENT-1873?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16189508#comment-16189508
]
Karsten Spang commented on HTTPCLIENT-1873:
-------------------------------------------
As I read the code, the call to {{gssContext.requestCredDeleg}} overrides the
default in the {{krb5.conf}} file on the system. I would say that the
{{generateGSSToken}} function should use the default, and if an application
needs to override the default, it should use its own {{krb5.conf}} file and set
the property {{java.security.krb5.conf}} to point to it. Alternatively, the
application could extend the {{SPNegoScheme}} class and override
{{generateGSSToken}}.
In other words, in my opinion there should be no call to
{{gssContext.requestCredDeleg}} at all.
In my case, I extended the class, because I needed to change not just this
behaviour, but also to specify a server principal different from "HTTP". There
may be more things that people would want to tweak, so specifying constructor
parameters for them all is probably impractical. Maybe some config object could
be passed to the constructor.
> Kerberos delegation no longer working after HTTPCLIENT-1736 patch in version
> 4.5.3
> ----------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1873
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1873
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic), HttpClient (Windows)
> Affects Versions: 4.5.3, 4.5.4
> Environment: Windows,Linux
> Reporter: Ulrich Colby
> Priority: Minor
> Labels: easyfix
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> In version 4.5.3, the following fix got applied to the httpclient library:
> _ [HTTPCLIENT-1736] do not request cred delegation by default when using
> Kerberos auth.
> Contributed by Oleg Kalnichevski <olegk at apache.org>_
> Although it says "by default", when looking at the affected code it's not the
> case (i.e.: there is no way to request if we want it). From our tests and my
> understanding of Kerberos, if a user account is not allowed to be used for
> delegation, then you can still request delegation, but when creating the user
> token, it'll simply not be applied.
> +Affected area+:
> In the class "GSSSchemeBase", in the method "createGSSContext", we need the
> following line added back:
> *gssContext.requestCredDeleg(true);*
> **OR**
> If you insist of leaving it off for a reason I'm not aware of, having a way,
> maybe through a system property, to say that we want it.
> _IMHO, one of the main reason for using Kerberos in an enterprise environment
> is to be able to make use of delegation (double hop scenarios)._
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
