Uploaded image for project: 'HttpComponents HttpClient'
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1873

Kerberos delegation no longer working after HTTPCLIENT-1736 patch in version 4.5.3

    XMLWordPrintableJSON

    Details

      Description

      In version 4.5.3, the following fix got applied to the httpclient library:

      _ HTTPCLIENT-1736 do not request cred delegation by default when using Kerberos auth.
      Contributed by Oleg Kalnichevski <olegk at apache.org>_

      Although it says "by default", when looking at the affected code it's not the case (i.e.: there is no way to request if we want it). From our tests and my understanding of Kerberos, if a user account is not allowed to be used for delegation, then you can still request delegation, but when creating the user token, it'll simply not be applied.

      Affected area:
      In the class "GSSSchemeBase", in the method "createGSSContext", we need the following line added back:

      gssContext.requestCredDeleg(true);

      *OR*

      If you insist of leaving it off for a reason I'm not aware of, having a way, maybe through a system property, to say that we want it.

      IMHO, one of the main reason for using Kerberos in an enterprise environment is to be able to make use of delegation (double hop scenarios).

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              UlrichColby Ulrich Colby
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 2h
                2h
                Remaining:
                Remaining Estimate - 2h
                2h
                Logged:
                Time Spent - Not Specified
                Not Specified