It took me literally tens of hours to figure out how to do SPNEGO proxy authentication for JAVAs builtin HTTP routines. So let me share my results:
- Documentation sucks as hell
- Documentation sucks as hell, and there is plenty of it
- JAVAs implementation of GSSAPI and Kerberos:
a) fail to establish a security context with my MIT krb services (I was neither able to authenticate agains mod_auth_kerb and my squid negotiate helper),
b) are a nightmare to configure and
c) seem to be unable (without really ugly hacks) to obtain the credentials from MIT's default credential cache (are not using KRB5CCNAME env)
- Fortunatly JAVA SE6 has a so called native Mode for JGSS - which you need to find first - see http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html - this setting makes JAVA use your GSSAPI Library instead of their
fucked upenterpricy library
To make your Java Applications integrate with your well-established Kerberos SSO just set
export _JAVA_OPTIONS="-Dsun.security.jgss.native=true -Dsun.security.jgss.lib=/usr/lib/libgssapi_krb5.so -Dhttp.auth.preference=spnego -Dhttp.proxyHost=
-Dhttp.proxyPort="
(Location of your gssapi library might differ)
