Am 2015-11-20 um 01:01 schrieb Marc Boorshtein:
After you have successfully impersonated the user principal, perform your
HTTP request in a PriviledgedAction with Subject#doAs. That should do.
Thanks Micahael. Ill give this a try. Which kerberos server did you try
this against? I tried using another example with red hats ipa (I think
it's built on MIT kerberos) and it didn't like the response tickets from
the kdc since there were no flags being set.
Marc,
I hope you have read this [1] and your environment satisfies the
requirements.
We have a very very large Active Directory installation at work. Though,
I did not try it. Some "wise guys" consider protocol transition as a
security concern/issue and won't allow to enable it.
Regardless of this, having an impersonated ticket shouldn't be any
different than an original TGT or a delegated one. The usage flow is
always the same. In GSS-API, JGSS or SSPI.
Michael
[1] http://k5wiki.kerberos.org/wiki/Projects/Services4User
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org
