@@ -93,9 +93,10 @@ mechanism:
9393 .. include:: /includes/fundamentals/code-snippets/auth-credentials-gssapi.rst
9494
9595
96- In order to acquire a Kerberos ticket, the GSSAPI Java libraries require
97- you to specify the realm and Key Distribution Center (KDC) system
98- properties. See the sample settings in the example below:
96+ In order to acquire a
97+ `Kerberos ticket <https://docs.oracle.com/en/java/javase/11/docs/api/java.security.jgss/javax/security/auth/kerberos/KerberosTicket.html>`__,
98+ the GSSAPI Java libraries require you to specify the realm and Key Distribution
99+ Center (KDC) system properties. See the sample settings in the example below:
99100
100101.. code-block:: none
101102
@@ -109,6 +110,7 @@ You may need to specify one or more of the following additional
109110- ``CANONICALIZE_HOST_NAME``
110111- ``JAVA_SUBJECT``
111112- ``JAVA_SASL_CLIENT_PROPERTIES``
113+ - ``JAVA_SUBJECT_PROVIDER``
112114
113115.. tabs::
114116 :hidden:
@@ -123,6 +125,7 @@ You may need to specify one or more of the following additional
123125
124126 - ``JAVA_SUBJECT``
125127 - ``JAVA_SASL_CLIENT_PROPERTIES``
128+ - ``JAVA_SUBJECT_PROVIDER``
126129
127130 Select the :guilabel:`MongoCredential` tab to see how to specify
128131 them.
@@ -150,12 +153,42 @@ You may need to specify one or more of the following additional
150153 - :java-docs:`CANONICALIZE_HOST_NAME_KEY </apidocs/mongodb-driver-core/com/mongodb/MongoCredential.html#CANONICALIZE_HOST_NAME_KEY>`
151154 - :java-docs:`JAVA_SUBJECT_KEY </apidocs/mongodb-driver-core/com/mongodb/MongoCredential.html#JAVA_SUBJECT_KEY>`
152155 - :java-docs:`JAVA_SASL_CLIENT_PROPERTIES_KEY </apidocs/mongodb-driver-core/com/mongodb/MongoCredential.html#JAVA_SASL_CLIENT_PROPERTIES_KEY>`
156+ - :java-docs:`JAVA_SUBJECT_PROVIDER_KEY </apidocs/mongodb-driver-core/com/mongodb/MongoCredential.html#JAVA_SUBJECT_PROVIDER_KEY>`
153157
154158 Your code to instantiate a ``MongoClient`` using GSSAPI and additional
155159 properties might resemble the following:
156160
157161 .. include:: /includes/fundamentals/code-snippets/auth-credentials-gssapi-properties.rst
158162
163+
164+ By default, the Java driver caches Kerberos tickets by ``MongoClient`` instance.
165+ If your deployment needs to frequently create and destroy ``MongoClient`` instances,
166+ you can change the default Kerberos ticket caching behavior to cache by process
167+ to improve performance.
168+
169+ .. tabs::
170+ :hidden:
171+
172+ .. tab::
173+ :tabid: Connection String
174+
175+ To cache Kerberos tickets by process, you must use the ``MongoCredential`` authentication
176+ mechanism, as the connection string authentication mechanism does not support the ``JAVA_SUBJECT_PROVIDER``
177+ mechanism property. If you would like to cache Kerberos tickets by process, select the :guilabel:`MongoCredential`
178+ tab to learn how to accomplish this.
179+
180+ .. tab::
181+ :tabid: MongoCredential
182+
183+ To cache Kerberos tickets by process, you must specify the ``JAVA_SUBJECT_PROVIDER``
184+ mechanism property and provide a
185+ `KerberosSubjectProvider <https://mongodb.github.io/mongo-java-driver/4.2//apidocs/mongodb-driver-core/com/mongodb/KerberosSubjectProvider.html#%3Cinit%3E()>`__
186+ in your ``MongoCredential`` instance. The code to configure the Java driver to cache Kerberos tickets
187+ by process should resemble the following:
188+
189+ .. include:: /includes/fundamentals/code-snippets/auth-credentials-gssapi-ticket-cache.rst
190+
191+
159192.. note::
160193
161194 On Windows, Oracle’s JRE uses `LSA <https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326.aspx>`__
0 commit comments