spring-security-kerberos icon indicating copy to clipboard operation
spring-security-kerberos copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Delegate/forward Kerberos tickets with Spring Security

Open mohancse1707 opened this issue 8 years ago • 4 comments

We are looking Delegate/forward Kerberos tickets with Spring Security while google we got the below reference Delegate/forward Kerberos saying it is not available.

Is there any plan release can be given as part of future spring-security-kerberos release ??

mohancse1707 avatar Nov 24 '16 11:11 mohancse1707

This is already possible.

The SunJaasKerberosTicketValidator can be configured to store the authentication context:

ticketValidator.setHoldOnToGSSContext(true);

After that, you can reuse that context to delegate:

Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

if (authentication instanceof KerberosServiceRequestToken) {
    KerberosServiceRequestToken token = (KerberosServiceRequestToken) authentication;

    if (token.getTicketValidation() == null) {
        // No delegation possible...
    } else {
        GSSContext context = token.getTicketValidation().getGssContext();

        // ...
    }
}

koraktor avatar Nov 24 '16 13:11 koraktor

@koraktor When will the context be disposed? It might not be obvious how to free/dispose the context...

dariusan avatar Nov 07 '18 12:11 dariusan

@dariusan ticketValidator.setHoldOnToGSSContext(true); causes SunJaasKerberosTicketValidator to not dispose the context automatically.

koraktor avatar Nov 07 '18 14:11 koraktor

@koraktor Exactly my point. The context might never be disposed because of this and thus leak. What we want is just the delegation credentials from the context, store it within the authentication object and dispose the context right afterwards as already implemented within the "multi tier" functionality.

dariusan avatar Nov 07 '18 14:11 dariusan