-
Bug
-
Resolution: Fixed
-
P3
-
6
-
b17
-
generic
-
generic
-
Not verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2150899 | 6u4 | Weijun Wang | P3 | Resolved | Fixed | b02 |
Support for HTTP/SPNEGO is available starting from Java SE 6.
However, currrently Java implementation of HTTP negotiate does not support "delegation".
The GSS context flag for delegation needs to be enabled based on configuration.
Mozilla/Firefox support following configuration parameters via about:config
to enable delegation:
- network.negotiate-auth.delegation-uris
- network.negotiate-auth.trusted-uris
1. network.negotiate-auth.trusted-uris
URIs to attempt GSSAPI Negotiate authentication with. Set this to a comma-separated list of sites to automatically authenticate to, for example https://, sun.com will enable Negotiate authentication for all secure servers and all sites in the sun.com domain.
2. network.negotiate-auth.delegation-uris
URIs to delegate credentials to. Same syntax as above.
IE uses the OK_TO_DELEGATE Kerberos service ticket flag to enable delegation.
In Active Directory, the SPN needs to be enabled with OK-TO-DELEGATE flag. However all Kerberos implementations do not support this flag. Hence, this flag should be checked only if available.
However, currrently Java implementation of HTTP negotiate does not support "delegation".
The GSS context flag for delegation needs to be enabled based on configuration.
Mozilla/Firefox support following configuration parameters via about:config
to enable delegation:
- network.negotiate-auth.delegation-uris
- network.negotiate-auth.trusted-uris
1. network.negotiate-auth.trusted-uris
URIs to attempt GSSAPI Negotiate authentication with. Set this to a comma-separated list of sites to automatically authenticate to, for example https://, sun.com will enable Negotiate authentication for all secure servers and all sites in the sun.com domain.
2. network.negotiate-auth.delegation-uris
URIs to delegate credentials to. Same syntax as above.
IE uses the OK_TO_DELEGATE Kerberos service ticket flag to enable delegation.
In Active Directory, the SPN needs to be enabled with OK-TO-DELEGATE flag. However all Kerberos implementations do not support this flag. Hence, this flag should be checked only if available.
- backported by
-
JDK-2150899 add support for delegation in HTTP/SPNEGO
-
- Resolved
-