Uploaded image for project: 'Java Driver'
  1. Java Driver
  2. JAVA-2106

Improve configurability of GSSAPI authentication

    XMLWordPrintableJSON

Details

    • Icon: New Feature New Feature
    • Resolution: Done
    • Icon: Major - P3 Major - P3
    • 3.3.0
    • None
    • Authentication
    • None

    Description

      Currently, a credential for the GSSAPI mechanism is limited in its configurability. GSSAPI authentication relies on the AccessControlContext bound to the thread that it's executing on, and a Subject based on the LoginContext for "com.sun.security.jgss.krb5.initiate", which must be configured via system properties.

      However, some Kerberos users require more flexibility. In particular, some users require the ability to create MongoCredential instances for GSSAPI authentication based on multiple Subject instances, in a single JVM. Currently, this is not possible.

      Additionally, some users require the ability to customize the SaslClient that implements the SASL conversation for GSSAPI, and that may require customization of the properties that must be passed to SaslClientFactory.createClient. Currently, there is no way to customize these properties.

      To address this, we propose to add two MongoCredential mechanism properties:

      • To override the javax.security.auth.Subject with which the authentication executes, add a mechanism property with the name "JAVA_SUBJECT" with the value of a Subject instance.
      • To override the properties with which the SaslClient is created, add a mechanism property with the name "JAVA_SASL_CLIENT_PROPERTIES" with the value of a Map<String, Object> instance.

      Attachments

        Activity

          People

            jeff.yemin@mongodb.com Jeffrey Yemin
            jeff.yemin@mongodb.com Jeffrey Yemin
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: