Forum Stats

  • 3,770,291 Users
  • 2,253,091 Discussions
  • 7,875,392 Comments

Discussions

How to use constrained delegation with JDBC drivers in Java 8

user8975258
user8975258 Member Posts: 1
edited Aug 4, 2016 4:36PM in Kerberos & Java GSS (JGSS)

Java 8 introduced implementations for the two Microsoft extensions to Kerberos protocol - S4U2Self and S4U2Proxy. In the Oracle release note for the feature, https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-features.html , it's noted that "This feature is very useful in secure enterprise deployments. For example, in a typical network service, the front end (such as a web server) often needs to access the back end (such as a database server) on behalf of a client". However, I'm unable to find any documentation on how actually a middle-tier service obtaining credential through constrained delegation would pass it to a JDBC driver. With unconstrained delegation, one can pass the credential in a Subject and then invoke Subject.doAs(), This doesn't seem to work with constrained delegation; instead, the credential should be passed directly to initSecContext(); which is usually the driver's job to do, but there is no mechanism to pass this credential to the driver.

Had anyone been successful in using this feature in this context ?

This discussion has been closed.