Delegate/forward Kerberos tickets with Spring Security

spring-projects / spring-security-kerberos

Spring Security Kerberos

https://spring.io/projects/spring-security-kerberos

185 stars 227 forks source link

Delegate/forward Kerberos tickets with Spring Security #103

Open mohancse1707 opened 8 years ago

mohancse1707 commented 8 years ago

We are looking Delegate/forward Kerberos tickets with Spring Security while google we got the below reference Delegate/forward Kerberos saying it is not available.

Is there any plan release can be given as part of future spring-security-kerberos release ??

koraktor commented 8 years ago

This is already possible.

The SunJaasKerberosTicketValidator can be configured to store the authentication context:

ticketValidator.setHoldOnToGSSContext(true);

After that, you can reuse that context to delegate:

Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

if (authentication instanceof KerberosServiceRequestToken) {
    KerberosServiceRequestToken token = (KerberosServiceRequestToken) authentication;

    if (token.getTicketValidation() == null) {
        // No delegation possible...
    } else {
        GSSContext context = token.getTicketValidation().getGssContext();

        // ...
    }
}

dariusan commented 6 years ago

@koraktor When will the context be disposed? It might not be obvious how to free/dispose the context...

koraktor commented 6 years ago

@dariusan ticketValidator.setHoldOnToGSSContext(true); causes SunJaasKerberosTicketValidator to not dispose the context automatically.

dariusan commented 6 years ago

@koraktor Exactly my point. The context might never be disposed because of this and thus leak. What we want is just the delegation credentials from the context, store it within the authentication object and dispose the context right afterwards as already implemented within the "multi tier" functionality.