Obtaining service ticket with JAVA JAAS

Seema Malkani Seema.Malkani at Sun.COM
Mon Aug 21 15:08:53 EDT 2006 

The Kerberos service ticket is obtained internally, and stored in the 
Subject's private credentials, after successful authentication.

At the client-end :

// Identify the name of the server.
GSSName serverName = manager.createName("nfs/foo.sun.com", 
					GSSName.NT_HOSTBASED_SERVICE);

// Instantiate and initialize a security context that will be
// established with the server
GSSContext context = manager.createContext(serverName,
                                           krb5Mechanism,
                                           null,
                                           GSSContext.DEFAULT_LIFETIME);

At the server-end :

// Acquire credentials for the server
GSSCredential serverCreds = manager.createCredential(serverName, 
                                             GSSCredential.DEFAULT_LIFETIME, 
                                             krb5Mechanism, 
                                             GSSCredential.ACCEPT_ONLY);
// Instantiate and initialize a security context that will
// wait for an establishment request token from the client
GSSContext context = manager.createContext(serverCreds);

Please refer to Java GSS tutorials for details:
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/index.html

Seema

Olfmatic wrote On 08/21/06 10:00,:

>Hello,
>
>can anybody please send some lines of JAVA code in which a service ticket is acquired by the KDC? I tried it like this
>
>    	// Performing Kerberos login
>    	LoginContext tLoginContext = new LoginContext("JaasLogin");
>    	tLoginContext.login();
>    	final Subject tSubject = tLoginContext.getSubject();
>
>    	Subject.doAs(tSubject, new PrivilegedExceptionAction()
>			{
>				public Object run() throws Exception
>				{
>					
>		    	Principal tPrincipal = (Principal)tSubject.getPrincipals().iterator().next();
>		    	KerberosTicket tTicket = (KerberosTicket) tSubject.getPrivateCredentials(
>							KerberosTicket.class).iterator().next();
>
>			GSSManager tGSSManager = GSSManager.getInstance();
>			Oid tKerberosOID = new Oid("1.2.840.113554.1.2.2");
>			GSSName tGSSName = tGSSManager.createName("myservice/servicehost.myrealm.de at MYREALM.DE", GSSName.NT_USER_NAME, tKerberosOID);
>			GSSCredential tServiceCredential = tGSSManager.createCredential(tGSSName, GSSCredential.INDEFINITE_LIFETIME, tKerberosOID, GSSCredential.INITIATE_AND_ACCEPT);
>				}
>			}
>
>
>but this doesn't work. For some reason, the principal's name in tGSSManager.createName() is still the one from my WIN2003-Login. I get a valid TGT from tLoginContext.login() but acquiring the service ticket fails. Is this the right approachment to this problem?
>
>This is my auth.conf:
>
>
>JaasLogin {
>    //Kerberos single-sign-on login module
>    com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache=true ;
>};
> 
>other {
>    // jBoss LoginModule
>    org.jboss.security.ClientLoginModule  required;
>    // Put your login modules that need jBoss here
>};
>
>
>Thanks for any help in advance.
>
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
>  
>

More information about the Kerberos mailing list