Improve configurability of GSSAPI authentication

XMLWordPrintableJSON

    • Type: New Feature
    • Resolution: Done
    • Priority: Major - P3
    • 3.3.0
    • Affects Version/s: None
    • Component/s: Authentication
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Currently, a credential for the GSSAPI mechanism is limited in its configurability. GSSAPI authentication relies on the AccessControlContext bound to the thread that it's executing on, and a Subject based on the LoginContext for "com.sun.security.jgss.krb5.initiate", which must be configured via system properties.

      However, some Kerberos users require more flexibility. In particular, some users require the ability to create MongoCredential instances for GSSAPI authentication based on multiple Subject instances, in a single JVM. Currently, this is not possible.

      Additionally, some users require the ability to customize the SaslClient that implements the SASL conversation for GSSAPI, and that may require customization of the properties that must be passed to SaslClientFactory.createClient. Currently, there is no way to customize these properties.

      To address this, we propose to add two MongoCredential mechanism properties:

      • To override the javax.security.auth.Subject with which the authentication executes, add a mechanism property with the name "JAVA_SUBJECT" with the value of a Subject instance.
      • To override the properties with which the SaslClient is created, add a mechanism property with the name "JAVA_SASL_CLIENT_PROPERTIES" with the value of a Map<String, Object> instance.

              Assignee:
              Jeffrey Yemin
              Reporter:
              Jeffrey Yemin
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: