Java sample for SSO using JAAS on XP SP2, did anybody get it to work?

Seema Malkani Seema.Malkani at Sun.COM
Fri Apr 22 19:10:04 EDT 2005 

The LoginModule invokes a CallbackHandler to perform the user interaction and obtain the requested information, such as the user name and password. The JAAS LoginContext allows the application to specify a callback handler that the underlying login modules use to interact with users. There are two callback handlers available in J2SE - one based on the command line and another based on a GUI.

Here is an example:
LoginContext lc = new LoginContext("client", new TextCallbackHandler());

The Krb5LoginModule will use the specified CallbackHandler to interact with the user and obtain username/password. The |CallbackHandler| implementation decides how to retrieve the information depending on the callbacks passed to it.

For further details refer to the J2SE javadocs on 
javax.security.auth.callback.CallbackHandler
http://java.sun.com/j2se/1.5.0/docs/api/index.html

Seema

Bajpai, Atul wrote:

>Seema,
>All your suggestions have been very helpful and I am able to use JAAS
>and GSS-API succefully to do single sign on and get a kerberos ticket
>for the currently logged in user on windows as well as linux. What I
>also need to do is be able to pass in the userid and password of a user,
>to the Krb5LoginModule if possible, to do a "run as". I have been
>scouring all the online documentation that I can find for hints. Any
>sugestions? Do I need to develop a new login module to do a kerberos
>login for a user different from the one logged in? or is it possible to
>extend the Krb5LoginMudule?
>
>
>Atul Bajpai
>Development Infrastructure
>
>
>-----Original Message-----
>From: Seema Malkani [mailto:Seema.Malkani at sun.com] 
>Sent: Tuesday, April 05, 2005 5:33 PM
>To: Bajpai, Atul
>Cc: miika.parvio at NOSPAMtut.fi; jaltman2 at nyc.rr.com; deengert at anl.gov;
>kerberos at mit.edu
>Subject: Re: Java sample for SSO using JAAS on XP SP2, did anybody get
>it to work?
>
>You can set system properties programmatically via java.lang.System
>class :- System.setProperty("javax.security.auth.useSubjectCredsOnly",
>"false");
>
>To specify the JAAS Kerberos Login Configuration file, you can use :-
>1) System property "-D||java.security.auth.login.config"
>Optionally, you can set it programmatically via :-
>System.setProperty("java.security.auth.login.config", jaas.conf);
>
>2) Java security properties file
>Indicate the URL of the configuration file in the security properties
>file located at JRE/lib/security/java.security
>login.config.url.1=file:C:/jaas.conf
>
>For more information, refer to following websites :-
>http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/LoginC
>onfigFile.html
>http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Config
>uration.html
>http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/AppCon
>figurationEntry.html
>
>Seema
>
>Bajpai, Atul wrote:
>
>  
>
>>Thanks for your response again Seema. I am able to get SSO to work with
>>    
>>
>
>  
>
>>J2SE 1.4.2_07. During all this trial and error at some point I had 
>>started building and running against 1.4.2_04 and didn't realise the 
>>folly since I was always able to get a ticket when I provided my userid
>>    
>>
>
>  
>
>>and password, when prompted for it. Once I changed back to 1.4.2_07 and
>>    
>>
>
>  
>
>>turned the debug flag on, Krb5LoginModule is able to get the pricipal 
>>    
>>
>>from the ticketcache without prompting and eventually I get a Kerberos 
>  
>
>>ticket back in the Subject. Thanks for all the suggestions. Next step 
>>is to get this code to run on Linux.I also need to specify all the -D 
>>options programmatically. How do I do that? Also is it possible to 
>>eliminate the need for the .conf file and specify, the LoginModule to 
>>be used, programatically?
>>
>>thanks
>>Atul Bajpai
>>Development Infrastructure
>>
>>
>>-----Original Message-----
>>From: Seema Malkani [mailto:Seema.Malkani at sun.com]
>>Sent: Monday, April 04, 2005 2:29 PM
>>To: Bajpai, Atul
>>Cc: miika.parvio at NOSPAMtut.fi; jaltman2 at nyc.rr.com; deengert at anl.gov; 
>>kerberos at mit.edu
>>Subject: Re: Java sample for SSO using JAAS on XP SP2, did anybody get 
>>it to work?
>>
>>As per your earlier email, you had mentioned that SSO works correctly 
>>with your "test" account, and you do not get prompted for password. Is 
>>this an issue with the another account on the same AD domain ?
>>
>>JAAS Kerberos login module will acquire the native credentials, 
>>provided you have the correct configuration. But if the credential 
>>acquisition fails due to some reason, no credentials will be returned; 
>>and you'll get a message "null credentials from Ticket Cache".
>>
>>Can you provide following info:
>>1) Are you using the latest J2SE 1.4.2_07 ?
>>2) Do you have any file-based ticket cache on your machine ? Check out 
>>any existence of krb5cc_uid in the home dir of the account used.
>>3) To investigate the failure, please send me a debug output. You can 
>>enable Java Kerberos debugging via -Dsun.security.krb5.debug=true
>>
>>See my comments below in response to your questions.
>>
>>Seema
>>
>>Bajpai, Atul wrote:
>>
>> 
>>
>>    
>>
>>>Hi all,
>>>I am using a JAAS sample to try SSO on windows. My problem is When I 
>>>use the Krb5LoginModule I am always prompted for a username and 
>>>password. I want my app to get the kerberos ticket for the currently 
>>>logged in user (which is me) without being prompted for 
>>>username/password. To understand the problem I set debug=true and 
>>>following is the output I get before I get prompted for username/pwd
>>>
>>>===================================
>>>Debug is  true storeKey false useTicketCache true useKeyTab false 
>>>doNotPrompt false ticketCache is null KeyTab is null refreshKrb5Config
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>is true principal is null tryFirstPass is false useFirstPass is false 
>>>storePass is false clearPass is false
>>>
>>>Refreshing Kerberos configuration
>>>Principal is null
>>>null credentials from Ticket Cache
>>>===========================
>>>My question is
>>>1) Does this mean that ticket cache cannot be found hence a ticket 
>>>could not be found or just that the ticket cache is empty?
>>>
>>>   
>>>
>>>      
>>>
>>This does not mean that the ticket cache cannot be found. This is 
>>because the credential acquisition failed; this could be due to various
>>    
>>
>
>  
>
>>reasons, such as credentials in the ticket cache were invalid, or did 
>>not exist for the requested identity.
>>
>> 
>>
>>    
>>
>>>2) How do I find out where my ticket cache is and what it has?
>>>
>>>   
>>>
>>>      
>>>
>>You can use Klist.exe tool on Windows to check on the native 
>>credentials.
>>
>> 
>>
>>    
>>
>>>3) When prompted for username/pwd, if I supply either mine or a test 
>>>account username/pwd, my login succeeds and I get back a subject from 
>>>the logincontext where I can see a kerberos ticket as part of the 
>>>private credentials. What could be the reason for my sample app not 
>>>being able to get a kerberos ticket for the currently logged in user 
>>>without prompting for username/pwd?
>>>
>>>   
>>>
>>>      
>>>
>>Possibly due to configuration. Please answer the questions above.
>>
>> 
>>
>>    
>>
>>>Seems like some of you have dealt with JAAS on windows before so I'll 
>>>really appreciate any pointers I can get on this.
>>>
>>>thanks
>>>
>>>
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>
>
>-------------------------------------------------------------------------------------------------
>-------------------------
>
>CONFIDENTIALITY AND SECURITY NOTICE
>
>This e-mail contains information that may be confidential and 
>proprietary. It is to be read and used solely by the intended recipient(s). 
>Citadel and its affiliates retain all proprietary rights they may have in the 
>information. If you are not an intended recipient, please notify us 
>immediately either by reply e-mail or by telephone at 312-395-2100 
>and delete this e-mail (including any attachments hereto) immediately 
>without reading, disseminating, distributing or copying. We cannot give 
>any assurances that this e-mail and any attachments are free of viruses 
>and other harmful code. Citadel reserves the right to monitor, intercept 
>and block all communications involving its computer systems.
>
>
>
>
>
>
>
>  
>

More information about the Kerberos mailing list