'Does Java integration with native kerberos support impersonation?
I have the following setup (using java 11).
A user enters his browser, sends request to a java backend secured with kerberos.
Server responds with "Negotiate...", browser responds with user ticket.
Then java backend impersonates that user and goes to postgres pretending to be that user.
Impersonation is done with the following code:
((ExtendedGSSCredential) serviceCredentials).impersonate(gssName);
The code for impersonate() method (from jdk):
public GSSCredential impersonate(GSSName name) throws GSSException {
if (destroyed) {
throw new IllegalStateException("This credential is " +
"no longer valid");
}
Oid mech = tempCred.getMechanism();
GSSNameSpi nameElement = (name == null ? null :
((GSSNameImpl)name).getElement(mech));
GSSCredentialSpi cred = tempCred.impersonate(nameElement);
return (cred == null ?
null : GSSManagerImpl.wrap(new GSSCredentialImpl(gssManager, cred)));
}
The class of tempCred here SpNegoCredElement and it supports impersonate method.
This works with the default java kerberos implementation.
Now I want to use a native GSS-API kerberos (linux with libgssapi_krb5.so.2).
For that I start java process with the following options:
-Dsun.security.jgss.native=true -Djavax.security.auth.useSubjectCredsOnly=false
The code above doesn't work with this setup because now the variable tempCred is of type GSSCredElement and it has the following implementation of impersonate() method:
@Override
public GSSCredentialSpi impersonate(GSSNameSpi name) throws GSSException {
throw new GSSException(GSSException.FAILURE, -1,
"Not supported yet");
}
So it simply throws an exception.
Does anyone know why it doesn't support impersonation?
How can I make impersonation work with native GSS-API?
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|