Developing Custom GSS Mechanism
My team is in the process of building a client/server platform in Java that interoperates with a proprietary platform. The existing platform uses a proprietary security architecture that was inspired by Kerberos (v4?).
Rather than develop my own security API, the JGSS-API seems like a good fit for me.
If I can prove that our proprietary mechanism can be adapted to JGSS in this emerging platform, we may decide to invest in factoring the legacy platform to use the C GSS bindings. The logical reason for doing this would be to eventually swap out the legacy security architecture altogether for Kerberos and, in theory, achieve SSO with other applications with little effort (OK, so I'm an optimist).
I see where I am able to register a java.security.Provider for a given mechanism through GSSManager#addProviderAtFront/Back, but the documentation seems to indicate that a GSSManager can be overridden to disallow this.
Nevertheless, it seems awkward for me to have to bootstrap my security mechanism in a programmatic fashion when other such security providers can be registered through SPI. Am I missing something or should GSS have an SPI mechanism for this purpose? Does it have one that I'm missing?
I have a feeling this is not the beaten path, but it seems that a tutorial for GSS providers would come in handy here. I'd be willing to assist in putting one together if I could get some nudges in the right direction.
Any insight is much welcome,
Thanks,
Refactor77
