HTTP binding of Kerberos GSS API - Behaviour with Mutual Auth
Greg Hudson
ghudson at MIT.EDU
Wed Nov 13 11:40:13 EST 2013
On 11/13/2013 02:46 AM, Arpit Srivastava wrote:
> The expected response is HTTP 401 with a token (which I will again feed to
> init_sec_context to generate the next token to be sent to server).
Mutual authentication only requires a token from server to client. It
does not require a second token from client to server. (There is a mode
of the Kerberos mechanism which does involve a second client->server
token, but it is only used with DCE RPC.)
> 1. When to stop the context establishment loop - when I receive the
> intended HTTP reponse (and not HTTP 401) or when context.isEstablished()
> becomes true ?
The latter; but the last token may not be generated by gss_init_sec_context.
> 2. Is this behaviour correct - getting the HTTP response which is not HTTP
> 401 even if the context is not fully established ?
It seems correct. The server has gotten all the authentication
information it expects to get from the client.
More information about the Kerberos
mailing list