问题
While trying to solve this problem we noticed a difference between the SPNEGO Requests (KRB_AP_REQ) from our GSSAPI and SSPI client implementations:
Using GSSPI the mutalFlag is set to False
Using SSPI the mutualFlag is set to True.
In our Java code calling GSSAPI we can explicitly set the flag to true or false as required, but I have found no way to do this using Waffle / SSPI.
Searching the Waffle code on Github for “mutual” gave only one hit: for the constant ISC_REQ_MUTUAL_AUTH
Is there a way to set the mutualFlag explicitly via Waffle / SSPI?
i.e. something equivalent to the GSSAPI code below:
GSSContext context = gssManager.createContext(serverName, mechOid, null, GSSContext.DEFAULT_LIFETIME);
context.requestMutualAuth(false);
回答1:
Although I do not recommend to disable mutual auth. Waffle abstraction is too high. We have the same issue: wanted to modify context flags. We had to modify source code and recompile. Raise an issue with Waffle and provide a PR at best.
Code on question is here: https://github.com/Waffle/waffle/blob/0c6f832222b59537847281adf7d2959583809dff/Source/JNA/waffle-jna/src/main/java/waffle/windows/auth/impl/WindowsSecurityContextImpl.java#L117-L119
来源:https://stackoverflow.com/questions/60490501/waffle-sspi-how-to-set-the-spnego-mutualflag