Java 8 introduced implementations for the two Microsoft extensions to Kerberos protocol - S4U2Self and S4U2Proxy. In the Oracle release note for the feature, https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-features.html , it's noted that "This feature is very useful in secure enterprise deployments. For example, in a typical network service, the front end (such as a web server) often needs to access the back end (such as a database server) on behalf of a client". However, I'm unable to find any documentation on how actually a middle-tier service obtaining credential through constrained delegation would pass it to a JDBC driver. With unconstrained delegation, one can pass the credential in a Subject and then invoke Subject.doAs(), This doesn't seem to work with constrained delegation; instead, the credential should be passed directly to initSecContext(); which is usually the driver's job to do, but there is no mechanism to pass this credential to the driver.
Had anyone been successful in using this feature in this context ?