Packagecom.kaazing.gateway.client.security
Classpublic class KerberosChallengeHandler
InheritanceKerberosChallengeHandler Inheritance NegotiableChallengeHandler Inheritance ChallengeHandler

A KerberosChallengeHandler, when registered with the DispatchChallengeHandler can be used to directly respond to "Negotiate" challenges where Kerberos-generated authentication credentials are required. In addition, a KerberosChallengeHandler can be used indirectly in conjunction with a NegotiateChallengeHandler to assist in the construction of a challenge response using object identifiers.

This abstract class captures common requirements for a number of implementation flavors for Kerberos, including Microsoft's SPNEGO implementation, and a SPNEGO Kerberos v5 GSS implementation.

To successfully use a KerberosChallengeHandler, one must know one or more Kerberos KDC service locations and optionally (if not defaulted to HTTP/requestedURIHostname) provide the name of the specific service being requested.

  1. For the KDC service location, one must establish either
    • a default Kerberos KDC service location, using setDefaultLocation(String), or
    • a mapping from a Kerberos Realm to at least one Kerberos KDC service location using setRealmLocation(String, String).
  2. For the non-defaulted service name being requested, one can configure the service name using setServiceName(String).

For example, one may install a configured a kerberos challenge handler as:

 LoginHandler someServerLoginHandler = ...; // perhaps this pops a dialog
  ChallengeHandlers.setDefault((ChallengeHandlers.load(DispatchChallengeHandler.class) as DispatchChallengeHandler)
       .register("servergw.hostname.com:8000/jms",
           (ChallengeHandlers.load(KerberosChallengeHandler.class) as KerberosChallengeHandler)
           .setDefaultLocation(URI.create("ws://kb.hostname.com/kerberos5"))
           .setRealmLocation("ATHENA.MIT.EDU", URI.create("ws://athena.hostname.com/kerberos5"))
           .setServiceName("HTTP/servergw.hostname.com")
           .setLoginHandler(someServerLoginHandler)
       )
 );
 

Following the code above, any user attempting to access "servergw.hostname.com:8000/jms" will be challenged using a {



Public Methods
 MethodDefined by
 Inherited
canHandle(challengeRequest:ChallengeRequest):Boolean
Can the presented challenge be potentially handled by this challenge handler?
ChallengeHandler
  
Clear any data associated with the provided realm names, including any realm-specific location information.
KerberosChallengeHandler
  
[static] Called to automatically discover the default implementation when loading this challenge handler.
KerberosChallengeHandler
  
Retrieve the specified default location.
KerberosChallengeHandler
 Inherited
Get the general login handler associated with this challenge handler.
NegotiableChallengeHandler
  
getRealmLocation(realmName:String):String
Return the URI to be used for Kerberos service requests when a user in the realm mentioned provides credentials.
KerberosChallengeHandler
  
getServiceName():String
Retrieve the service name.
KerberosChallengeHandler
 Inherited
Return a collection of string representations of object identifiers supported by this challenge handler implementation, in dot-separated notation.
NegotiableChallengeHandler
 Inherited
handle(challengeRequest:ChallengeRequest, callback:Function):ChallengeResponseFuture
Handle the presented challenge by creating a challenge response future.
ChallengeHandler
  
Set the default location to connect to a Kerberos service.
KerberosChallengeHandler
 Inherited
Provide a general login handler to be used in association with this challenge handler.
NegotiableChallengeHandler
  
setRealmLocation(realmName:String, location:String):KerberosChallengeHandler
Specify the connect location of a Kerberos service to be used for users in the named realm.
KerberosChallengeHandler
  
Specify the service principal name for which a ticket is desired.
KerberosChallengeHandler
Method detail
clear()method
public function clear(... realmNames):KerberosChallengeHandler

Clear any data associated with the provided realm names, including any realm-specific location information. After this call, any default location, and the service name, will always remain unaffected. This permits a cleared challenge handler to be further used without re-initialization. If no realm names are specified, ALL realm-specific data associated with this challenge handler are cleared. If some realm names are specified, ONLY data associated with those realms in this challenge handler are cleared.

Parameters
... realmNames

Returns
KerberosChallengeHandler — a reference to this object, for chained call support.
defaultImplementation()method 
public static function defaultImplementation():String

Called to automatically discover the default implementation when loading this challenge handler.

Returns
String
getDefaultLocation()method 
public function getDefaultLocation():String

Retrieve the specified default location.

Returns
String — the default kerberos location to connect to, or null if none has been specified.
getRealmLocation()method 
public function getRealmLocation(realmName:String):String

Return the URI to be used for Kerberos service requests when a user in the realm mentioned provides credentials.

Parameters
realmName:String — the name of the realm for which to find URIs

Returns
String — the URI to be used for Kerberos service requests when a user in the realm mentioned provides credentials, or getDefaultLocation() if no such URI exists.
getServiceName()method 
public function getServiceName():String

Retrieve the service name.

Returns
String — the previously specified service name, or null if none has been specified.
setDefaultLocation()method 
public function setDefaultLocation(location:String):KerberosChallengeHandler

Set the default location to connect to a Kerberos service.

If not specified, this challenge handler will only correctly connect to realms specified using setRealmLocation().

Parameters
location:String — the location of the Kerberos service to connect to by default, if a realm-specific location is not specified.

Returns
KerberosChallengeHandler — a reference to this object, for chained call support.
setRealmLocation()method 
public function setRealmLocation(realmName:String, location:String):KerberosChallengeHandler

Specify the connect location of a Kerberos service to be used for users in the named realm.

Parameters
realmName:String — the realm for which a specific location is to be specified
 
location:String — a specific location to be used for Kerberos service requests when a user in the realm mentioned provides credentials.

Returns
KerberosChallengeHandler — a reference to this object, for chained call support.
setServiceName()method 
public function setServiceName(serviceName:String):KerberosChallengeHandler

Specify the service principal name for which a ticket is desired.

If not specified, this challenge handler will not provide a service principal name.

Parameters
serviceName:String — the service principal name for which a ticket is desired.

Returns
KerberosChallengeHandler — a reference to this object, for chained call support.