Hi Asaf Thanks for watching the list. :)
Basically I want to encode "HTTP on host.server.com" into a service principal like "HTTP/[EMAIL PROTECTED]". By changing the nameType to GSSName.NT_HOSTBASED_SERVICE, it means the underlying Kerberos principal should be of the NT-SRV-HST type. According to the RFC 1964[1], its form should be [EMAIL PROTECTED] Without this change, "HTTP/host.server.com" has no type info. If you're accessing the service from a machine on the CLIENT.COM realm, the service principal is encoded into "HTTP/[EMAIL PROTECTED]" only. With this change, Java will try to find out the realm this service actually belongs to and create the correct principal name. One way to provide this info is to add these lines into your krb5.conf: [domain_realm] .client.com = CLIENT.COM .server.com = SERVER.COM Thanks Max [1] http://tools.ietf.org/html/rfc1964#section-2.1.2 Asaf Mesika wrote: > I'm sorry, but I don't understand why you've changed the / to @ in the > principal name ? > And how should this help being cross realmed? > > On Thu, Mar 20, 2008 at 5:58 AM, <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Changeset: a8d6215fa863 > Author: weijun > Date: 2008-03-20 11:57 +0800 > URL: http://hg.openjdk.java.net/jdk7/jsn/jdk/rev/a8d6215fa863 > > 6670362: HTTP/SPNEGO should work across realms > Reviewed-by: valeriep > > ! src/share/classes/sun/net/www/protocol/http/NegotiatorImpl.java > >
