1. Security Developer’s Guide
  2. Java Generic Security Services (Java GSS-API)
  3. Advanced Security Programming in Java SE Authentication, Secure Communication and Single Sign-On
  4. Part V : Secure Authentication Using SPNEGO Java GSS Mechanism

Part V : Secure Authentication Using SPNEGO Java GSS Mechanism

Exercise 8: Using the Java Generic Security Services (GSS) API with SPNEGO

Java GSS is a framework that can support multiple security mechanisms; a way to negotiate a security mechanism underneath GSS-API is needed. This is available via SPNEGO.

SPNEGO is standardized at IETF in RFC 4178. It is a pseudo-security mechanism used to negotiate an underlying security mechanism. It provides the flexibility for client and server to securely negotiate a common GSS security mechanism.

Microsoft makes heavy use of SPNEGO. SPNEGO can be used to inter-operate with Microsoft Server over HTTP, to support HTTP-based cross-platform authentication via the Negotiate Protocol.

Currently, when using Java GSS with Kerberos, we specify the Kerberos OID as follows:

Oid krb5Oid = new Oid("1.2.840.113554.1.2.2");

In order to use SPNEGO, you only need to specify the SPNEGO OID as follows:

Oid spnegoOid = new Oid("1.3.6.1.5.5.2");

Then you can use the SPNEGO OID when creating a GSSCredential, GSSContext, etc.

Goal of This Exercise

Currently the only security mechanism available with Java GSS is Kerberos. The goal of this exercise is to learn how to use other Java GSS mechanisms, such as the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO), to secure the association.

Steps to Follow

  1. Read the GssSpNegoClient.java code.

  2. Compile the sample code:

    % javac GssSpNegoClient.java

  3. Read the GssSpNegoServer.java code.

  4. Compile the sample code:

    % javac GssSpNegoServer.java

  5. Launch a new window and start the server:

    % java -Djava.security.auth.login.config=jaas-krb5.conf GssSpNegoServer

  6. Run the client application. GssSpNegoClient takes two parameters: the service name and the name of the server that the service is running on. For example, if the service is host running on the machine j1hol-001, use the following (provide a secure password when prompted): 

    % java -Djava.security.auth.login.config=jaas-krb5.conf \
GssSpNegoClient host j1hol-001

    Sample output for running GssSpNegoServer: 

    Authenticated principal: [host/j1hol-001@J1LABS.EXAMPLE.COM]
Waiting for incoming connections...
Got connection from client /129.145.128.102
SPNEGO Negotiated Mechanism = 1.2.840.113554.1.2.2 Kerberos V5
Context Established!
Client principal is test@J1LABS.EXAMPLE.COM
Server principal is
host/j1hol-001@J1LABS.EXAMPLE.COM
Mutual authentication took place!
Received data "Hello There!" of length 12
Confidentiality applied: true
Sending: Hello There! Thu May 06 12:11:15 PDT 2005

    Sample output for running GssSpNegoClient (password is replaced with the password you provided before): 

    Kerberos password for test: password
Authenticated principal: [test@J1LABS.EXAMPLE.COM]
Connected to address j1hol-001/129.145.128.102
SPNEGO Negotiated Mechanism = 1.2.840.113554.1.2.2 Kerberos V5
Context Established!
Client principal is test@J1LABS.EXAMPLE.COM
Server principal is host@j1hol-001
Mutual authentication took place!
Sending message: Hello There!
Will read token of size 93
Received message: Hello There! Thu May 06 12:11:15 PDT 2005

Summary

In this exercise, you learned how to write a client-server application that uses the Java GSS API with SPNEGO to negotiate an underlying security mechanism, such as Kerberos, and communicate securely using Kerberos as the underlying authentication system.

Note:

Microsoft has implemented certain variations of the SPNEGO protocol. Therefore, to interoperate with Microsoft, a separate mode has been added through the system property sun.security.spnego.msinterop. This property is enabled to true by default. To disable it, you need to explicitly set this property to false. To enable SPNEGO debugging, you can set the system property sun.security.spnego.debug=true.