[jboss-jira] [JBoss JIRA] Commented: (SECURITY-129) Client Delegation

Zhiyong Li (JIRA) jira-events at lists.jboss.org
Fri Oct 9 11:32:06 EDT 2009 

    [ https://jira.jboss.org/jira/browse/SECURITY-129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12489190#action_12489190 ] 

Zhiyong Li commented on SECURITY-129:
-------------------------------------

If I can obtain the delegation credential, then I can accomplish the delegation (authenticate on behalf of the client user) by my code. 

In your 2.0.3 GA code, I notice that you have a threadlocal variable and also a scheme context variable in NegatiationContext.java

     private static final ThreadLocal<NegotiationContext>  negotiationContext = new ThreadLocal<NegotiationContext>();
     private Object schemeContext = null;

I thought that I may be able to get the schemeContext from my code (such as a servlet) and then in turn to get the client delegation credential, for example,


      GSSContext context = (GSSContext)NegotiationContext.getCurrentNegotiationContext().getSchemeContext();      

      //check if the credentials can be delegated   
      if (!context.getCredDelegState()) {   
         System.out.println("credentials cannot be delegated!");   
         throw new Exception("credentials cannot be delegated!");   
      }             
      
      //get the delegated credentials from the calling peer...   
      GSSCredential clientCred = context.getDelegCred(); 


however, that value of schemeContext is "clear-ed" after "authentication" in org.jboss.security.negotiation.NegotiationAuthenticator.java

   protected boolean authenticate(final Request request, final Response response, final LoginConfig config)
         throws IOException{
         
         ...
         negotiationContext.clear();
         ...
   }

Thus, I cannot get schemeContext. I get around the problem by commented out: negotiationContext.clear();

My request is that whether you can make the schemeContext or the client delegation credential available for the application code in the same request/response.


> Client Delegation
> -----------------
>
>                 Key: SECURITY-129
>                 URL: https://jira.jboss.org/jira/browse/SECURITY-129
>             Project: JBoss Security and Identity Management
>          Issue Type: Task
>      Security Level: Public(Everyone can see) 
>          Components: Negotiation
>            Reporter: Darran Lofthouse
>            Assignee: Darran Lofthouse
>             Fix For: Negotiation_2.0.4.GA
>
>
> Web browser can delegate to the server being called so same credentials can be used for further calls.
>   Delegation using GSSAPI, WS-Kerberos, credential propagation for EJB calls etc..

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list