Glassfish does not support SPNEGO and Kerberos – Yet

I had an interesting time this week working out whether Glassfish supports Kerberos and SPNEGO. For those who have not read my previous post, pretty much everything now has baked in support for Kerberos. For web apps, there is a security protocol over HTTP called SPNEGO which lets browsers use single sign on with web servers.
So, does Glassfish support SPNEGO and Kerberos? The short answer is no. The longer answer is that all of the bits that you need to implement it are in place such as:

  1. Krb5LoginModule (Added in JDK1.4.2)
  2. SPNEGO (Added in Java 6)
  3. A richer security plugin facility in JMAC/JSR196 for which Glassfish is the reference implementation

I am thinking about writing, or better still, convincing someone else to write this missing piece.
It would work as follows:

  1. JMAC module in servlet container rejects request with HTTP 401 (Unauthorized) “WWW-Authenticate: Negotiate” header
  2. browser computes SPNEGO token and resends request with Authorization: Negotiate header containing base64 encoded SPNEGO token (as you pointed out, we can find browsers that already know how to do this).
  3. JMAC module decodes token and uses it to call
    gss_accept_security_context.

  4. JMAC module returns an appropriate HTTP status code and header based on the outcome of the gss accept.
Published
Categorized as Java

By Greg Luck

As Terracotta’s CTO, Greg (@gregrluck) is entrusted with understanding market and technology forces and the business drivers that impact Terracotta’s product innovation and customer success. He helps shape company and technology strategy and designs many of the features in Terracotta’s products. Greg came to Terracotta on the acquisition of the popular caching project Ehcache which he founded in 2003. Prior to joining Terracotta, Greg served as Chief Architect at Australian online travel giant Wotif.com. He also served as a lead consultant for ThoughtWorks on accounts in the United States and Australia, was CIO at Virgin Blue, Tempo Services, Stamford Hotels and Resorts and Australian Resorts and spent seven years as a Chartered Accountant in KPMG’s small business and insolvency divisions. He is a regular speaker at conferences and contributor of articles to the technical press.