Whoops, i reversed the condition of the if statement, it should be: //check if the credentials can be delegated if (context.getCredDelegState()) { ... }
On Tue, Mar 29, 2011 at 9:47 PM, Borut Hadžialić <borut.hadzia...@gmail.com> wrote: > Would adding support for client credential delegation be out of scope > for this implementation or not? > > Client credential delegation is when you use the spnego token > construct a javax.security.auth.Subject instance that represents the > client - which the server side application can use this to impersonate > the client (eg. connect to some Kerberized database as the client that > sent the request, or consume some other kerberized service as the > client). > > The code for creating such a Subject would be something like this: > > GSSContext context = > GSSManager.getInstance().createContext((GSSCredential) null); > context.acceptSecContext(...); > > //check if the credentials can be delegated > if (!context.getCredDelegState()) { > > //get the delegated credentials from the calling peer... > GSSCredential clientCred = context.getDelegCred(); > > //Create a Subject out of the delegated credentials. > //With this Subject the application server can impersonate the > client that sent the request. > Subject clientSubject = > com.sun.security.jgss.GSSUtil.createSubject(context.getSrcName(), > clientCred); > } > > //Store the clientSubject somewhere - maybe to the HttpServletRequest? > > I am sure this would be useful for some applications - for example the > one that we are currently developing needs functionality like this. > > On Tue, Mar 29, 2011 at 9:09 PM, Mark Thomas <ma...@apache.org> wrote: >> On 29/03/2011 15:20, Mark Thomas wrote: >>> On 28/03/2011 22:31, Stefan Mayr wrote: >>>> Native SPNEGO in Tomcat sounds great. Waiting a little while depends on >>>> your scale of "little". Is there already some development we can follow? >>>> Will this use Java GSS? I never figured out how to configure this with >>>> Tomcat. >>> >>> "little" hopefully means the next week or so in a 7.0.12 release. I have >>> a handful of things I need/want to get into 7.0.12 and SPNEGO is one of >>> them. >>> >>> Having spent more time than I want to think about and having lost count >>> of the number of times I re-installed Windows 2k8 server to test this, I >>> finally got this working a few minutes ago. The current code is *very* >>> rough and ready and it only does authentication, not authorisation so I >>> still have some work to do. >>> >>> The solution is based on ideas from Spring Security's Kerberos extension >>> and the most recent patches attached to bug 48685. >>> >>> I'll be committing an initial implementation once I have cleaned up the >>> code a bit and then I'll build on that to add authorisation, more >>> configuration etc. >> >> The first part just got committed [1]. More to follow over the next day >> or so. >> >> Mark >> >> [1] http://svn.apache.org/viewvc?rev=1086683&view=rev >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > > > -- > Why? > Because YES! > -- Why? Because YES! --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org