If multiple web pages from the same server all ask for "WWW-Authenticate: Negotiate", or, when trying to visit different HTTP servers in the same Kerberos realm in a single Java program, each "WWW-Authenticate: Negotiate" triggers a head-to-tail Kerberos communication, from acquiring TGT, acquiring service ticket to the final authentication. If the TGT is aquired not from a cache but through a username/password pair from Authenticator, the pair will be prompted for multiple times.
This is because the simple JGSS calls does not remember any tickets, and the HTTP/Negotiate impl does not use the JAAS Subject-based style.
An ideal approach may look like this: acquire TGT only once, and only acquire a new service ticket when visiting another HTTP server. Or, even further, users can acquire multiple TGTs for different realms (when there's no inter-realm trusts among them), but this may be beyond the current capability of Authenticator.
On the other hand, some people might use different account (in the same realm) to visit different servers, or even different URLs on the same server. If so, they would regard the current implementation a feature, but not a bug. If so, 6578647 should be fixed to fill the trigger URL info into Authenticator.
The best way to deal with this is that if the application is aware of who can visit where, it can call JAAS at app level first and call HTTP/Negotiate in Subject.doAs() blocks.
This bug report is for memo use only at the moment.
This is because the simple JGSS calls does not remember any tickets, and the HTTP/Negotiate impl does not use the JAAS Subject-based style.
An ideal approach may look like this: acquire TGT only once, and only acquire a new service ticket when visiting another HTTP server. Or, even further, users can acquire multiple TGTs for different realms (when there's no inter-realm trusts among them), but this may be beyond the current capability of Authenticator.
On the other hand, some people might use different account (in the same realm) to visit different servers, or even different URLs on the same server. If so, they would regard the current implementation a feature, but not a bug. If so, 6578647 should be fixed to fill the trigger URL info into Authenticator.
The best way to deal with this is that if the application is aware of who can visit where, it can call JAAS at app level first and call HTTP/Negotiate in Subject.doAs() blocks.
This bug report is for memo use only at the moment.
- relates to
-
JDK-6578647 Undefined requesting URL in "java.net.Authenticator.getPasswordAuthentication()"
-
- Resolved
-
-
JDK-6965382 enhance HTTP/SPNEGO test to work with JAAS
-
- Closed
-