Currently, a credential for the GSSAPI mechanism is limited in its configurability. GSSAPI authentication relies on the AccessControlContext bound to the thread that it's executing on, and a Subject based on the LoginContext for "com.sun.security.jgss.krb5.initiate", which must be configured via system properties.

However, some Kerberos users require more flexibility. In particular, some users require the ability to create MongoCredential instances for GSSAPI authentication based on multiple Subject instances, in a single JVM. Currently, this is not possible.

Additionally, some users require the ability to customize the SaslClient that implements the SASL conversation for GSSAPI, and that may require customization of the properties that must be passed to SaslClientFactory.createClient. Currently, there is no way to customize these properties.

To address this, we propose to add two MongoCredential mechanism properties:

• To override the javax.security.auth.Subject with which the authentication executes, add a mechanism property with the name "JAVA_SUBJECT" with the value of a Subject instance.
• To override the properties with which the SaslClient is created, add a mechanism property with the name "JAVA_SASL_CLIENT_PROPERTIES" with the value of a Map<String, Object> instance.