[JAVA-2106] Improve configurability of GSSAPI authentication Created: 04/Feb/16  Updated: 19/Oct/16  Resolved: 18/Mar/16

Status: Closed
Project: Java Driver
Component/s: Authentication
Affects Version/s: None
Fix Version/s: 3.3.0

Type: New Feature Priority: Major - P3
Reporter: Jeffrey Yemin Assignee: Jeffrey Yemin
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Duplicate
is duplicated by JAVA-1019 Ability to support multiple Kerberos ... Closed

 Description   

Currently, a credential for the GSSAPI mechanism is limited in its configurability. GSSAPI authentication relies on the AccessControlContext bound to the thread that it's executing on, and a Subject based on the LoginContext for "com.sun.security.jgss.krb5.initiate", which must be configured via system properties.

However, some Kerberos users require more flexibility. In particular, some users require the ability to create MongoCredential instances for GSSAPI authentication based on multiple Subject instances, in a single JVM. Currently, this is not possible.

Additionally, some users require the ability to customize the SaslClient that implements the SASL conversation for GSSAPI, and that may require customization of the properties that must be passed to SaslClientFactory.createClient. Currently, there is no way to customize these properties.

To address this, we propose to add two MongoCredential mechanism properties:

  • To override the javax.security.auth.Subject with which the authentication executes, add a mechanism property with the name "JAVA_SUBJECT" with the value of a Subject instance.
  • To override the properties with which the SaslClient is created, add a mechanism property with the name "JAVA_SASL_CLIENT_PROPERTIES" with the value of a Map<String, Object> instance.


 Comments   
Comment by Githook User [ 18/Mar/16 ]

Author:

{u'username': u'jyemin', u'name': u'Jeff Yemin', u'email': u'jeff.yemin@10gen.com'}

Message: JAVA-2106: Allow injection of Subject, AccessControlContext, and Map of SaslClient properties as mechanism properties for MongoCredential instances for GSSAPI authentication
Branch: master
https://github.com/mongodb/mongo-java-driver/commit/a263f09029b49ccf724f1b242a9e073b8324960c

Generated at Thu Feb 08 08:56:20 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.