[JAVA-3836] Support a Kerberos ticket cache Created: 09/Sep/20  Updated: 28/Oct/23  Resolved: 19/Oct/20

Status: Closed
Project: Java Driver
Component/s: Authentication, Performance
Affects Version/s: None
Fix Version/s: 4.2.0

Type: New Feature Priority: Major - P3
Reporter: Esha Bhargava Assignee: Jeffrey Yemin
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
Related
is related to JAVA-4389 Getting com.mongodb.MongoSecurityExce... Closed
is related to JAVA-4391 Accept "com.sun.security.jgss.initiat... Closed
Epic Link: JAVA-3716
Case:

 Description   

Summary

Cache Kerberos tickets so that they can be re-used for multiple authentication requests. This cache will take two forms:

  • By default, the cache will be per-MongoClient, such that all authentication requests for a single MongoClient will share a ticket cache
  • With additional configuration, the cache can span MongoClient instances, so that multiple MongoClient instances will share a single ticket cache

User-Facing Syntax

For per-MongoClient ticket caching, no additional configuration is required.

For per-process ticket caching using the default login context:

MongoCredential.createGSSAPICredential(<user name>)
                   .withMechanismProperty(JAVA_SUBJECT_PROVIDER,
                                 new KerberosSubjectProvider())

Note that the KerberosSubjectProvider class will be provided by the driver.  If the KerberosSubjectProvider instance is shared with only a single MongoClient, this is effectively the same as the new default ticket caching behavior.  Using the same instance with multiple MongoClients allows caching that spans the entire process. 

For ticket caching using a different login context, simply pass the login context name to the KerberosSubjectProvider constructor:

MongoCredential.createGSSAPICredential(<user name>)
                   .withMechanismProperty(JAVA_SUBJECT_PROVIDER,
                                  new KerberosSubjectProvider("MyContext"))



 Comments   
Comment by Githook User [ 19/Oct/20 ]

Author:

{'name': 'Jeff Yemin', 'email': 'jeff.yemin@mongodb.com', 'username': 'jyemin'}

Message: Support caching of Kerberos Subject (#599)

Support caching of Kerberos Subject

  • Add SubjectProvider interface
  • Add JAVA_SUBJECT_PROVIDER mechanism property
  • Add KerberosSubjectProvider implementation
  • Default to use KerberosSubjectProvider with "com.sun.security.jgss.krb5.initiate" LoginContext name

JAVA-3836
Branch: master
https://github.com/mongodb/mongo-java-driver/commit/5c965547c5009dd4bd9bac4d1738a6833d3fd662

Generated at Thu Feb 08 09:00:33 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.