Why JAVA 1.6 HTTP client can authenticate (using SPNEGO) only against certain WebLogic versions?
JAVA 1.6 HTTP client's inherits support for SPNEGO via Java GSS. This is listed at:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
From WebLogic side, the answer(to the question why JAVA HTTP client only works with certianin versions) lies in simple test that is carried out using "supported" browser and JAVA fat client against same version of WebLogic and then analyzing the network dumps.
Network dumps show:
For JAVA fat client(not working against WebLogic 10.3.3)
GSS-API Generic Security Service Application Program Interface
OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
Simple Protected Negotiation
negTokenInit
mechTypes: 1 item
MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
For browser (working against WebLogic 10.3.3)
GSS-API Generic Security Service Application Program Interface
OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
Simple Protected Negotiation
negTokenInit
mechTypes: 3 items
MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
I have run multiple tests whose results I have summed up in section "takeaway"
In all, we see that three Mech types are involved at most:
1) 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
2) 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
3) 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
NTLM tokens have never been supported by WebLogic. The remaining two types are what should be of interest. The details about these can be found at:
http://msdn.microsoft.com/en-us/library/ms995330.aspx
Takeaway:
MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
- does work with WebLogic 10.3.3 and pre.
- does work with WebLogic 10.3.4, 10.3.5
MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5):
- does not work on WLS 10.3.3 and pre
- does work on WLS 10.3.4 and 10.3.5
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
From WebLogic side, the answer(to the question why JAVA HTTP client only works with certianin versions) lies in simple test that is carried out using "supported" browser and JAVA fat client against same version of WebLogic and then analyzing the network dumps.
Network dumps show:
For JAVA fat client(not working against WebLogic 10.3.3)
GSS-API Generic Security Service Application Program Interface
OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
Simple Protected Negotiation
negTokenInit
mechTypes: 1 item
MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
For browser (working against WebLogic 10.3.3)
GSS-API Generic Security Service Application Program Interface
OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
Simple Protected Negotiation
negTokenInit
mechTypes: 3 items
MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
I have run multiple tests whose results I have summed up in section "takeaway"
In all, we see that three Mech types are involved at most:
1) 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
2) 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
3) 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
NTLM tokens have never been supported by WebLogic. The remaining two types are what should be of interest. The details about these can be found at:
http://msdn.microsoft.com/en-us/library/ms995330.aspx
Takeaway:
MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
- does work with WebLogic 10.3.3 and pre.
- does work with WebLogic 10.3.4, 10.3.5
MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5):
- does not work on WLS 10.3.3 and pre
- does work on WLS 10.3.4 and 10.3.5
Comments
Post a Comment