By Weijun on Dec 15, 2009
Basically, we defined a new ExtendedGSSContext interface. Now it has 3 methods:
- requestDelegPolicy(boolean state): Requests that the delegation policy be respected. When a true value is requested, the underlying context would use the delegation policy defined by the environment as a hint to determine whether credentials delegation should be performed. This method is mainly used to deal with the Kerberos OK-AS-DELEGATE flag.
- getDelegPolicyState(): Returns the delegation policy response.
- inquireSecContext(InquireType type): Returns the mechanism-specific attribute associated with type. Currently we're supporting four types for the Kerberos 5 mechanism: KRB5_GET_TKT_FLAGS for flags in a service ticket, KRB5_GET_SESSION_KEY for the session key of an established session, KRB5_GET_AUTHZ_DATA for authorization data in a service ticket (mainly used on AD for the PAC info), and KRB5_GET_AUTHTIME for the authtime in a service ticket.
Full spec is at OpenJDK code repository, and implementation in other parts of the code repo.