Tuesday, November 29, 2011

Why JAVA 1.6 HTTP client can authenticate (using SPNEGO) only against certain WebLogic versions?

JAVA 1.6 HTTP client's inherits support for SPNEGO via Java GSS. This is listed at:
    http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html

From WebLogic side, the answer(to the question why JAVA HTTP client only works with certianin versions) lies in simple test that is carried out using "supported" browser and JAVA fat client against same version of WebLogic and then analyzing the network dumps.

Network dumps show:

For JAVA fat client(not working against WebLogic 10.3.3)
GSS-API Generic Security Service Application Program Interface
              OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
              Simple Protected Negotiation
                              negTokenInit
                                              mechTypes: 1 item
                                                 MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)


For browser (working  against WebLogic 10.3.3)
GSS-API Generic Security Service Application Program Interface
              OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
              Simple Protected Negotiation
                              negTokenInit
                                              mechTypes: 3 items
                                                              MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
                                                              MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                                                              MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)

I have run multiple tests whose results I have summed up in section "takeaway"

In all, we see that three Mech types are involved at most:
1) 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
2) 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
3) 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)


NTLM tokens have never been supported by WebLogic. The remaining two types are what should be of interest. The details about these can be found at:
       http://msdn.microsoft.com/en-us/library/ms995330.aspx


Takeaway:

MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
- does work with WebLogic 10.3.3 and pre.
- does work with WebLogic 10.3.4, 10.3.5

MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5):
- does not work on WLS 10.3.3 and pre
- does work on WLS 10.3.4 and 10.3.5

No comments:

Post a Comment