Note: If
this option is enabled (which it is by default), the GSSCredential
is not serializable and cannot be propagated to the downstream server.The
client Kerberos delegation credential is extracted and the KRBAuthnToken
base is created. The KRBAuthnToken contains the client Kerberos delegation
and can be propagated to a downstream server.
If you want to propagate
the KRBAuthnToken to a downstream server, the client Ticket Granting
Ticket (TGT) must contain addressless and forwardable options. If
a client TGT is addressed the downstream server does not have a client
GSS delegation credential after it is propagated.
You can extract
the client delegation GSSCredential from the KRBAuthnToken by using
the KRBAuthnToken.getGSSCredential() method.