Glassfish does not support SPNEGO and Kerberos – Yet

I had an interesting time this week working out whether Glassfish supports Kerberos and SPNEGO. For those who have not read my previous post, pretty much everything now has baked in support for Kerberos. For web apps, there is a security protocol over HTTP called SPNEGO which lets browsers use single sign on with web servers.
So, does Glassfish support SPNEGO and Kerberos? The short answer is no. The longer answer is that all of the bits that you need to implement it are in place such as:

  1. Krb5LoginModule (Added in JDK1.4.2)
  2. SPNEGO (Added in Java 6)
  3. A richer security plugin facility in JMAC/JSR196 for which Glassfish is the reference implementation

I am thinking about writing, or better still, convincing someone else to write this missing piece.
It would work as follows:

  1. JMAC module in servlet container rejects request with HTTP 401 (Unauthorized) “WWW-Authenticate: Negotiate” header
  2. browser computes SPNEGO token and resends request with Authorization: Negotiate header containing base64 encoded SPNEGO token (as you pointed out, we can find browsers that already know how to do this).
  3. JMAC module decodes token and uses it to call
    gss_accept_security_context.

  4. JMAC module returns an appropriate HTTP status code and header based on the outcome of the gss accept.