Java GSSAPI: Compare two GSSCredential Instances

Question

My code currently works fine executing SPNEGO (Kerberos) authentication for users of my website. I have a special caching mechanism in place to accelerate some decisions based on confirmation of the user's identity. For plain password authentication this is simple enough - compare the "current" user+password combo with the "old" one - if there's no change, the decisions can still be cached. Otherwise, they need to be re-evaluated.

I'm trying to do the same for Kerberos. I've got it mostly working, but I'm baffled why GSSCredential.equals() wouldn't be working. In particular, the GSSCredential instances I obtain after authenticating each request are "identical" in that they're for the same user, same service, even obtained under the same circumstances (I think). If I do a toString() and I compare the outputs they're the same (yes, I know this is irrelevant, but it's still a good indication that they probably should be equal).

However, GSSCredential_1.equals(GSSCredential_2) always returns false between requests. This could be because each is obtained using a different SPNEGO ticket (which is necessary, as per Kerberos, to avoid replay scenarios), but those tickets still belonged to the same principal and were "aimed" at the same service principal.

The code decision I need to make is best articulated as such:

do these new credentials represent the same security principal as the previously-used ones? The questions of expiry, validity-for-purpose and whatnot get evaluated separately, and later.

Comparing their names "works", but I was hoping for something a little more robust.

Any ideas?

I don't think you're going to get any better than comparing names. Do you have a scenario where that could fail? — Marko Topolnik, Apr 23 '12 at 18:14

score 0 · Answer 1 · answered Apr 25 '12 at 10:54

According to the javadocs for the GSSCredentials.equals method

Tests if this GSSCredential asserts the same entity as the supplied object. The two credentials must be acquired over the same mechanisms and must refer to the same principal.

Using the equals method should suffice. However looking at the implementation shows the reason behind the strange behavior:

public boolean equals(Object another) {

    if (destroyed) {
        throw new IllegalStateException("This credential is " +
                                    "no longer valid");
    }

    if (this == another) {
        return true;
    }

    if (!(another instanceof GSSCredentialImpl)) {
        return false;
    }

    // NOTE: The specification does not define the criteria to compare
    // credentials.
    /*
     * XXX
     * The RFC says: "Tests if this GSSCredential refers to the same
     * entity as the supplied object.  The two credentials must be
     * acquired over the same mechanisms and must refer to the same
     * principal.  Returns "true" if the two GSSCredentials refer to
     * the same entity; "false" otherwise."
     *
     * Well, when do two credentials refer to the same principal? Do
     * they need to have one GSSName in common for the different
     * GSSName's that the credential elements return? Or do all
     * GSSName's have to be in common when the names are exported with
     * their respective mechanisms for the credential elements?
     */
    return false;
}

This clearly shows that you'll only get true returned when you provide the exact same object instance. So I guess you need to compare both the GSSName and the Oid (mechanism).

Java GSSAPI: Compare two GSSCredential Instances

1 Answers1