Hi All The current implementation of HTTP Negotiate authentication has not enabled credential delegation (it simply acquires a new one using either a cached TGT or username/password from Authenticator). This means that in a multi-tier application, a middle tier cannot start an HTTP request (to the backend server) on behalf of the client.
I'm suggesting the following updates: 1. In java.net.Authenticator, add 2 methods protected GSSCredential getGSSCredential() { return null; } public static GSSCredential requestGSSCredential() { Authenticator a = theAuthenticator; if (a == null) { return null; } else { return a.getGSSCredential(); } } 2. In the implementation of the HTTP Negotiate auth scheme (sun.net.www.protocol.http.NegotiatorImpl), GSSCredential deleg = Authenticator.requestGSSCredential(); context = manager.createContext(serverName, oid, deleg, // this used to be null GSSContext.DEFAULT_LIFETIME); Then, when an application developer is creating a GSS server that wants to start an HTTP request using a delegated credential, she can write: // establish the GSSContext final GSSCredential deleg = context.getDelegCred(); Authenticator.setDefault(new Authenticator() { @Override protected GSSCredential getGSSCredential() { return deleg; } }); new URL("http://somewhere").openConnection().getInputStream(); What's your comment? Thanks Max