Java Reference
In-Depth Information
A pair of networked
peers
(hosts that can be clients or servers) may have multiple
installedGSS-APIimplementationsfromwhichtochoose.Asaresult,theSimpleand
Protected GSS-API Negotiation (SPNEGO) pseudo-mechanism is used by these peers
toidentifysharedGSS-APImechanisms,makeanappropriateselection,andestablisha
security context based on this choice.
Microsoft's
negotiate authentication scheme
(introduced with Windows 2000) uses
SPNEGO to select a GSS-API mechanism for HTTP authentication. Initially, this
schemesupportedonlyKerberosandNTLM.UnderIntegratedWindowsauthentication
(whichwasformerlyknownasNTLMauthentication,andalsoknownasWindowsNT
Challenge/Responseauthentication),whenInternetExplorertriestoaccessaprotected
resource from IIS, IIS sends two
WWW-Authenticate
headers to this browser. The
first header has
Negotiate
as the token; the second header has
NTLM
as the token.
Because
Negotiate
is listed first, it has first crack at being recognized by Internet
Explorer.Whenrecognized,thebrowserreturnsbothNTLMandKerberosinformation
to IIS. IIS uses Kerberos when the following are true:
• The client is Internet Explorer 5.0 or later.
• The server is IIS 5.0 or later.
• The operating system is Windows 2000 or later.
• Both the client and server are members of the same domain or trusted domains.
Otherwise,NTLMisused.IfInternetExplorerdoesn'trecognize
Negotiate
,itre-
turns NTLM information via the NTLM authentication scheme to IIS.
A Java client can provide an
Authenticator
subclass whose
getPass-
wordAuthentication()
methodcheckstheschemenamereturnedfromthe
pro-
tected final String getRequestingScheme()
method to determine
whether the current scheme is
"negotiate"
. When this is the case, the method can
passtheusernameandpasswordtotheHTTPSPNEGOmodule(assumingthatthey're
needed—nocredentialcacheisavailable),asillustratedinthefollowingcodefragment:
class MyAuthenticator extends Authenticator
{
@Override
public
PasswordAuthentication
getPasswordAuthentica-
tion()
{
if
(getRequestingS-
cheme().equalsIgnoreCase("negotiate"))
{
