Obtaining service ticket with JAVA JAAS

Olfmatic olfmatic at web.de
Mon Aug 21 13:00:36 EDT 2006


can anybody please send some lines of JAVA code in which a service ticket is acquired by the KDC? I tried it like this

    	// Performing Kerberos login
    	LoginContext tLoginContext = new LoginContext("JaasLogin");
    	final Subject tSubject = tLoginContext.getSubject();

    	Subject.doAs(tSubject, new PrivilegedExceptionAction()
				public Object run() throws Exception
		    	Principal tPrincipal = (Principal)tSubject.getPrincipals().iterator().next();
		    	KerberosTicket tTicket = (KerberosTicket) tSubject.getPrivateCredentials(

			GSSManager tGSSManager = GSSManager.getInstance();
			Oid tKerberosOID = new Oid("1.2.840.113554.1.2.2");
			GSSName tGSSName = tGSSManager.createName("myservice/servicehost.myrealm.de at MYREALM.DE", GSSName.NT_USER_NAME, tKerberosOID);
			GSSCredential tServiceCredential = tGSSManager.createCredential(tGSSName, GSSCredential.INDEFINITE_LIFETIME, tKerberosOID, GSSCredential.INITIATE_AND_ACCEPT);

but this doesn't work. For some reason, the principal's name in tGSSManager.createName() is still the one from my WIN2003-Login. I get a valid TGT from tLoginContext.login() but acquiring the service ticket fails. Is this the right approachment to this problem?

This is my auth.conf:

JaasLogin {
    //Kerberos single-sign-on login module
    com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache=true ;
other {
    // jBoss LoginModule
    org.jboss.security.ClientLoginModule  required;
    // Put your login modules that need jBoss here

Thanks for any help in advance.

More information about the Kerberos mailing list