//
// weijun.wang@sun.com

HTTP SPNEGO
===========

JPlan 116: SPNEGO HTTP authentication
    http://jplan.sfbay/feature/116)
RFE 6260531: SPNEGO HTTP authentication
    http://monaco.sfbay/detail.jsf?cr=6260531)
CCC 6244039: more HTTP authentication schemes to support in Java
    http://ccc.sfbay/6244039


What's HTTP SPNEGO
==================

HTTP SPNEGO supports the Negotiate authentication scheme in an HTTP
communication. There are 2 types of authentication here:

1. Web Authentication. The Web Server responses with
       HTTP/1.1 401 Unauthorized
       WWW-Authenticate: Negotiate
   the client will need to send a header like
       Authorization: Negotiate YY.....
   to authenticate itself to the server
2. Proxy Authentication. The Web Server responses with
       HTTP/1.1 407 Proxy Authentication Required
       Proxy-Authenticate: Negotiate
   the client will need to send a header like
       Proxy-Authorization: Negotiate YY.....
   to authenticate itself to the proxy server

The new codes support both types of authentication.


How to use the new feature
==========================

There is no new public API function involved in the new feature, but
several configurations are needed to perform a success communication:

1. Since the SPNEGO mechanism will call the Kerberos V5 login module to
   do real works. Kerberos configurations are needed. which includes:

   a) Some way to provide Kerberos realm and KDC address. This can be
      achieved with the Java system property java.security.krb5.realm
      and java.security.krb5.kdc. For example:
            java -Djava.security.krb5.realm=REALM_NAME \
                 -Djava.security.krb5.kdc=kdc.realm.name \
                 ClassName

   b) A JAAS config file denoting what login module to use. HTTP SPNEGO
      codes will look for the standard GSS_INITIATE_ENTRY entry named
      "com.sun.security.jgss.initiate".

      For example, you can provide a file spnegoLogin.conf:
          com.sun.security.jgss.initiate {
              com.sun.security.auth.module.Krb5LoginModule
                  required useTicketCache=true;
          };
      and run java with:
            java -Djava.security.krb5.realm=REALM_NAME \
                 -Djava.security.krb5.kdc=kdc.realm.name \
                 -Djava.security.auth.login.config=spnegoLogin.conf \
                 ClassName


      Another JAAS login entry "http.auth.negotiate.server" is defined
      to be used by the server side.

2. Just like other HTTP authentication scheme, the client can provide
   a customized java.net.Authenticator to feed username and password to
   the HTTP SPNEGO module when they are needed (e.g. there is no keytab
   cache available). The only authentication information needed to be
   checked in your Authenticator is the scheme which can be retrieved
   with getRequestingScheme(). The value should be "Negotiate".

   This means your Authenticator implementation will look like:

    class MyAuthenticator extends Authenticator {

	public PasswordAuthentication getPasswordAuthentication () {
            if (getRequestingScheme().equalsIgnoreCase("negotiate")) {
                String krb5user;
                char[] krb5pass;
                // get krb5user and krb5pass in your own way
                ....
                return (new PasswordAuthentication (krb6user,
                            krb5pass.toCharArray()));
            } else {
                ....
            }
	}
    }

3. The client can still provide system property http.auth.preference to
   denote that a certain scheme should always be used as long as the
   server request for it. You can use "SPNEGO" or "Kerberos" for this
   system property. "SPNEGO" means you prefer to challenge the Negotiate
   scheme using the GSS/SPNEGO mechanism; "Kerberos" means you prefer
   to challenge the Negotiate scheme using the GSS/Kerberos mechanism.
   Normally, when authenticating against a Microsoft product, you can
   use "SPNEGO". The value "Kerberos" also works for Microsoft servers.
   It's only needed when you encounter a server which knows Negotiate
   but doesn't know about SPNEGO.

   If http.auth.preference is not set, the internal order choosen is:
      GSS/SPNEGO -> Digest -> BTLM -> Basic

   Noticed that Kerberos does not appear in this list, since whenever
   Negotiate is supported, GSS/SPNEGO is always chosen.

4. If the server has provided more than one authentication schemes
   (including Negotiate), according to the processing order mentioned
   in the last section, Java will try to challenge the Negotiate scheme.
   However, if the protocol cannot be established successfully (e.g.
   The kerberos configuration is not correct, or the server's hostname
   is not recorded in the KDC principal DB, or the username and password
   provided by Authenticator is wrong),  then the 2nd strongest scheme
   will be automatically used. You can notice this behaviour in the test
   case: TEST_NAME="Authenticate fallback".

   Attention: If http.auth.preference is set to SPNEGO or Kerberos, then
   we assume you only want to try the Negotiate scheme even if it fails.
   we won't fallback to any other scheme and your program will result in
   throwing an IOException saying it receives a 401 or 407 error from
   the HTTP response. This behaviour can be observed in the test case:
   TEST_NAME="Authenticate no fallback"


Test
====

The test is a bash script spnegoTest, which makes use of the Java class
WebGet. WebGet.java is included. To run the test, you need these files:

    spnegoTest
    spnegoLogin.conf       JAAS login config file
    spnegoLog.properties   logging config file

The test environment includes 1 or 2 KDC server, 1 or 2 Web server, and
1 proxy server. The web server and the proxy server need to support
multiple authentication schemes setting to test the fallback feature.

The environment variables set inside spnegoTest are:

    WWW_REALM       The Kerberos realm the Web server belongs to
    WWW_KDC         The Kerberos KDC for the WWW_REALM
    WWW_URL         The URL to test against. It should be protected with
                    Negotiate and Basic authentication

    PROXY_REALM     The Kerberos realm the proxy server belongs to
    PROXY_KDC       The Kerberos KDC for the PROXY_REALM
    PROXY_URL       The URL to test against, Should be available to
                    anonymous request
    PROXY_PARA      The proxy server setting. The proxy server should
                    prompt for Negotiate and Basic authentication

    GOOD_PASS       Correct user/pass for Basic authentication
    GOOD_KPASS      Correct user/pass for Kerberos
    BAD_PASS        Wrong user/pass for Basic authentication
    BAD_KPASS       Wrong user/pass for Kerberos

    WWW_TAB         The keytab file for WWW_REALM
    PROXY_TAB       The keytab file for PROXY_REALM
    TAB_PATH        The standard keytab cache file path

    FILE_CONTENT    The content of URL expected

The values set in spnegoTest reflect a temporary testing environment,
where we use MS-Windows 2000 Advanced Server as the KDC server and Web
server, and MS ISA 2000 Server as the proxy server.

In order to test the using of keytab cache, you need to get the keytab
files before starting the test. The pathname of the 2 keytab files (one
for the WWW_REALM, the other for the PROXY_REALM) should be set inside
the test script spnegoTest as WWW_TAB and PROXY_TAB respectively. During
the test process, they will be copied to the system recognized place
(TAB_PATH) in turn.

This is a manual step since on most systems the kerberos realm is setup
in krb5.conf, and you need a root privilege to edit the it to get the 2
ticket cache files. Normally, the process will look like:

    # edit the krb5.conf using $WWW_REALM
    kinit www_user_name
    cp $TAB_PATH $WWW_TAB
    # edit the krb5.conf using $PROXY_REALM
    kinit proxy_user_name
    cp $TAB_PATH $PROXY_TAB

Fortunately, you normally will only need to do this once in a day.

However, on MS-Windows platform, the kinit tool provided with the JRE
has command options including realm, KDC, principal name, and password,
thus make it possible to generate the keytab files from a batch script.

Finally, you can run the test with

    $ bash spnegoTest || echo $?