2

I implemented a Java solution to retrieve a Kerberos ticket, I based my solution on the answer on this thread How to obtain a kerberos service ticket via GSS-API?

I need the ticket to send an HTTP request to an endpoint.

The ticket is being retrieved correctly, and I'm being able to perform the HTTP request, the problem I have is that I can only perform 1 request per ticket, it does not matter if I change the tickets lifetime in the code.

I'm sending the ticket as part of the HTTP request in the Headers as an Authorization header.

Is there a way to have the ticket not expire after a one time use? Is this normal behavior?

Juan Ga
  • 87
  • 5
  • What makes you think that the ticket expires? Have you any evidence? – Michael-O Feb 07 '18 at 08:38
  • If you had a decent REST server, it would use SPNego w/ Kerberos only once, to initiate the session, then return some kind of session token (stored in a "signed cookie") to be used instead for the rest of the session. That's how the Hadoop ecosystem deals with SPNego, for example. – Samson Scharfrichter Feb 07 '18 at 08:58
  • @Michael-O What makes me think that the ticket expired is that after the first use, if I attempt to resubmit the same request I'll receive a 401 error. The first time I attempt it I receive a 200 and I have the expected response body. – Juan Ga Feb 07 '18 at 12:49
  • @SamsonScharfrichter I do see a cookie coming back with the first request. I tried sending that cookie as part of the second requests and also in the headers as an Authorization header, but got a 400 response with the second approach and a 401 with the first. – Juan Ga Feb 07 '18 at 13:33
  • 1
    @JuanGa, the request is reply then. Java does not maintain a ticket cache as MIT Kerberos, Heimdal or SSPI does. It reretrieves service ticket over and over again. – Michael-O Feb 07 '18 at 13:52
  • @SamsonScharfrichter REST is supposed to be stateless. Sessions aren't stateless. A decent server simply binds the auth to the stateful TCP session. Unfortunately, this is not possible in Tomcat and probably in other containers too. – Michael-O Feb 07 '18 at 13:53
  • @michael-o On the other hand Kerberos was never supposed to be used by stateless stuff... So at some point you've got to find a middle ground. – Samson Scharfrichter Feb 07 '18 at 17:59
  • @SamsonScharfrichter Agreed, a security context isn't stateless. – Michael-O Feb 09 '18 at 10:53

0 Answers0