Describe the feature
AWS SDK2 Java does not provide ability to authenticate to AWS STS via proxy that requires Kerberos Authentication.
Use Case
Need to connect from on-prem to AWS STS API via proxy which requires Kerberos authentication .
We have run into a limitation of the AWS SDK ApacheHttpClient which doesn’t allow for customization of the builder:
https://github.com/aws/aws-sdk-java-v2/blob/2.20.156/http-clients/apache-client/src/main/java/software/amazon/awssdk/http/apache/ApacheHttpClient.java#L153
which is required for us to configure the setDefaultAuthSchemeRegistry and setDefaultCredentialsProvider:
Proposed Solution
As a workaround we implemented a forked implementation of the AWS ApacheHttpClient to override the AuthSchemeProvider which will consider canonicalHostName of proxy by default for kerberos authemtication .
We added below code snippet to the builder at the following line https://github.com/aws/aws-sdk-java-v2/blob/2.20.156/http-clients/apache-client/src/main/java/software/amazon/awssdk/http/apache/ApacheHttpClient.java#L153
Registry<AuthSchemeProvider> authSchemeProviderRegistry = configuration.authSchemeProviderRegistry;
if (authSchemeProviderRegistry == null) {
authSchemeProviderRegistry = RegistryBuilder.<AuthSchemeProvider>create()
.register(AuthSchemes.BASIC, new BasicSchemeFactory())
.register(AuthSchemes.DIGEST, new DigestSchemeFactory())
.register(AuthSchemes.NTLM, new NTLMSchemeFactory())
.register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, false))
.register(AuthSchemes.KERBEROS, new KerberosSchemeFactory(true, false)).build();
}
builder.setDefaultAuthSchemeRegistry(authSchemeProviderRegistry);
We also had to use this system property in our application to make the kerberos negotiator work with AWS SDK Java 2 client
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
Other Information
No response
Acknowledgements
AWS Java SDK version used
aws sdk java v2
JDK version used
17 and 21
Operating System and version
Windows Server 2016 Standard/ Linux
Describe the feature
AWS SDK2 Java does not provide ability to authenticate to AWS STS via proxy that requires Kerberos Authentication.
Use Case
Need to connect from on-prem to AWS STS API via proxy which requires Kerberos authentication .
We have run into a limitation of the AWS SDK ApacheHttpClient which doesn’t allow for customization of the builder:
https://github.com/aws/aws-sdk-java-v2/blob/2.20.156/http-clients/apache-client/src/main/java/software/amazon/awssdk/http/apache/ApacheHttpClient.java#L153
which is required for us to configure the setDefaultAuthSchemeRegistry and setDefaultCredentialsProvider:
Proposed Solution
As a workaround we implemented a forked implementation of the AWS
ApacheHttpClientto override the AuthSchemeProvider which will considercanonicalHostNameof proxy by default for kerberos authemtication .We added below code snippet to the builder at the following line https://github.com/aws/aws-sdk-java-v2/blob/2.20.156/http-clients/apache-client/src/main/java/software/amazon/awssdk/http/apache/ApacheHttpClient.java#L153
We also had to use this system property in our application to make the kerberos negotiator work with AWS SDK Java 2 client
Other Information
No response
Acknowledgements
AWS Java SDK version used
aws sdk java v2
JDK version used
17 and 21
Operating System and version
Windows Server 2016 Standard/ Linux