Java code performing Kerberos password AuthN
Michael B Allen
ioplex at gmail.com
Thu Jun 26 23:04:57 EDT 2014
On Thu, Jun 26, 2014 at 6:23 PM, Jorj Bauer <jorj at isc.upenn.edu> wrote:
> Maybe someone will show me a better way to do it in Java, for that matter.
Hi Jorj,
Note that you can dodge the jaas.conf by installaing your own
Configuration like:
class Krb5Configuration extends Configuration {
final Map options = new HashMap(4);
final AppConfigurationEntry[] entries = new AppConfigurationEntry[1];
Krb5Configuration() {
super();
entries[0] = new AppConfigurationEntry(
"com.sun.security.auth.module.Krb5LoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
options);
}
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
return entries;
}
public void refresh() {
}
}
Then create the config and install it like:
Krb5Configuration conf = new Krb5Configuration();
conf.setOption("doNotPrompt", "true");
conf.setOption("storeKey", "true");
conf.setOption("useKeyTab", "true");
conf.setOption("debug", "true");
conf.setOption("principal", spn);
conf.setOption("keyTab", keytab);
Configuration.setConfiguration(conf);
Now you can do JGSS stuff and it should use your config. A more
sophisticated implementation might augment the existing config from
the jaas.conf to minimize chances of breaking other krb5 users in the
same ClassLoader.
Java's builtin Kerberos implementation is a mess. Even if you override
the config file like above it's still global. No config should be
global - especially in a library. Last I checked you can't get a TGT
from a KerberosKey (keytab entry) on Windows. You have to use
Krb5LoginModule and actually go through a login with a plaintext
password first because they had to go through the Windows SSPI to
access the ccache. The API is horrible as evidenced by the flaming
hula hoops you had to go through to do anything remotely
sophisticated.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
More information about the Kerberos
mailing list