Credential Delegation

Java GSS-API allows the client to securely delegate its credentials to the server, such that the server can initiate other security contexts on behalf of the client. This feature is useful for single sign-on in a multi-tier environment.

The client requests credential delegation prior to making the first call to initSecContext(). For example:

void GSSContext.requestCredDeleg(boolean state)
       throws GSSException

The server receives the delegated credential after context establishment. For example:

 GSSCredential GSSContext.getDelegCred() throws GSSException

The server can then pass this GSSCredential to GSSManager.createContext(), pretending to be the client. In the case of the Kerberos V5 mechanism, the delegated credential is a forwarded ticket-granting ticket (TGT) that is encapsulated as part of the first token sent from the client to the server. By using this TGT, the server can obtain a service ticket on behalf of the client for any other service.