Following on from the discussion yesterday the following branch
illustrated how SPNEGO/Kerberos negotiation can be added to the HTTP API: -
This was more to prove SPNEGO could be added to the HTTP server so tasks
such as long term handling of the cached authentications and providing
the user configuration are outstanding.
This does depend on the use of JAAS for the servers identity to be
established but the actual configuration requirements can be defined
simply so the use of JAAS internally becomes an implementation detail.
One point I have found however is that the SPNEGO authentication is
dependent on identifying the exact connection the inbound request is
received on - I can detect the address of the remote client but I can't
tell if it is just a case of a port being re-used or if it is really the
same connection. Unless we add some form of cookie based session
management this may also be a problem for other authentication mechanisms.