Java sample for SSO using JAAS on XP SP2, did anybody get it to work?
Seema Malkani
Seema.Malkani at Sun.COM
Tue Apr 5 18:32:51 EDT 2005
You can set system properties programmatically via java.lang.System class :-
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
To specify the JAAS Kerberos Login Configuration file, you can use :-
1) System property "-D||java.security.auth.login.config"
Optionally, you can set it programmatically via :-
System.setProperty("java.security.auth.login.config", jaas.conf);
2) Java security properties file
Indicate the URL of the configuration file in the security properties
file located at JRE/lib/security/java.security
login.config.url.1=file:C:/jaas.conf
For more information, refer to following websites :-
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/LoginConfigFile.html
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/AppConfigurationEntry.html
Seema
Bajpai, Atul wrote:
>Thanks for your response again Seema. I am able to get SSO to work with
>J2SE 1.4.2_07. During all this trial and error at some point I had
>started building and running against 1.4.2_04 and didn't realise the
>folly since I was always able to get a ticket when I provided my userid
>and password, when prompted for it. Once I changed back to 1.4.2_07 and
>turned the debug flag on, Krb5LoginModule is able to get the pricipal
>from the ticketcache without prompting and eventually I get a Kerberos
>ticket back in the Subject. Thanks for all the suggestions. Next step is
>to get this code to run on Linux.I also need to specify all the -D
>options programmatically. How do I do that? Also is it possible to
>eliminate the need for the .conf file and specify, the LoginModule to be
>used, programatically?
>
>thanks
>Atul Bajpai
>Development Infrastructure
>
>
>-----Original Message-----
>From: Seema Malkani [mailto:Seema.Malkani at sun.com]
>Sent: Monday, April 04, 2005 2:29 PM
>To: Bajpai, Atul
>Cc: miika.parvio at NOSPAMtut.fi; jaltman2 at nyc.rr.com; deengert at anl.gov;
>kerberos at mit.edu
>Subject: Re: Java sample for SSO using JAAS on XP SP2, did anybody get
>it to work?
>
>As per your earlier email, you had mentioned that SSO works correctly
>with your "test" account, and you do not get prompted for password. Is
>this an issue with the another account on the same AD domain ?
>
>JAAS Kerberos login module will acquire the native credentials, provided
>you have the correct configuration. But if the credential acquisition
>fails due to some reason, no credentials will be returned; and you'll
>get a message "null credentials from Ticket Cache".
>
>Can you provide following info:
>1) Are you using the latest J2SE 1.4.2_07 ?
>2) Do you have any file-based ticket cache on your machine ? Check out
>any existence of krb5cc_uid in the home dir of the account used.
>3) To investigate the failure, please send me a debug output. You can
>enable Java Kerberos debugging via -Dsun.security.krb5.debug=true
>
>See my comments below in response to your questions.
>
>Seema
>
>Bajpai, Atul wrote:
>
>
>
>>Hi all,
>>I am using a JAAS sample to try SSO on windows. My problem is When I
>>use the Krb5LoginModule I am always prompted for a username and
>>password. I want my app to get the kerberos ticket for the currently
>>logged in user (which is me) without being prompted for
>>username/password. To understand the problem I set debug=true and
>>following is the output I get before I get prompted for username/pwd
>>
>>===================================
>>Debug is true storeKey false useTicketCache true useKeyTab false
>>doNotPrompt false ticketCache is null KeyTab is null refreshKrb5Config
>>
>>
>
>
>
>>is true principal is null tryFirstPass is false useFirstPass is false
>>storePass is false clearPass is false
>>
>>Refreshing Kerberos configuration
>>Principal is null
>>null credentials from Ticket Cache
>>===========================
>>My question is
>>1) Does this mean that ticket cache cannot be found hence a ticket
>>could not be found or just that the ticket cache is empty?
>>
>>
>>
>This does not mean that the ticket cache cannot be found. This is
>because the credential acquisition failed; this could be due to various
>reasons, such as credentials in the ticket cache were invalid, or did
>not exist for the requested identity.
>
>
>
>>2) How do I find out where my ticket cache is and what it has?
>>
>>
>>
>You can use Klist.exe tool on Windows to check on the native
>credentials.
>
>
>
>>3) When prompted for username/pwd, if I supply either mine or a test
>>account username/pwd, my login succeeds and I get back a subject from
>>the logincontext where I can see a kerberos ticket as part of the
>>private credentials. What could be the reason for my sample app not
>>being able to get a kerberos ticket for the currently logged in user
>>without prompting for username/pwd?
>>
>>
>>
>Possibly due to configuration. Please answer the questions above.
>
>
>
>>Seems like some of you have dealt with JAAS on windows before so I'll
>>really appreciate any pointers I can get on this.
>>
>>thanks
>>
>>
>>
>>
>
>
>
>
More information about the Kerberos
mailing list