Java code performing Kerberos password AuthN

Michael B Allen ioplex at gmail.com
Fri Jun 27 12:59:44 EDT 2014


On Fri, Jun 27, 2014 at 10:06 AM, Jorj Bauer <jorj at isc.upenn.edu> wrote:
>> Note that you can dodge the jaas.conf by installaing your own
>> Configuration like:
>
> Thanks for the comment. I know about this, generally speaking - it's what I was alluding to in the README:
>
>> (There is probably
>> a more complex Configuration object setup that could be performed here
>> to populate the settings programmatically; I chose to not go down that
>> road due to complexity of the code that might be required.)
>
> Specifically - and maybe you can help here - I have two concerns about that approach.
>
> First: there are two different configurations in jaas.conf (one for client and one for server behavior). I presume it's possible to construct a programmatic configuration that adds both, but I haven't thought about how.

Hi Jorj,

It's been a while since I looked at any of this. So I'm actually
drawing a blank on the client vs server conf. Not sure.

> Second: setting the realm and/or KDC using System.setProperty java.security.krb5.realm and/or java.security.krb5.kdc, I wasn't able (in my limited testing) to make it perform failover when the primary was unreachable. Seeing that it worked fine with krb5.conf, I decided to punt, choosing functionality over form.

Ah yes, this is another gem. There are so many problems with DNS
relative to Java's Kerberos I don't want to get into it. Having the
realm come out of the krb5.conf isn't a complete disaster since that
might actually be set properly and wouldn't be something you would
want to change I would think. At least this is no different from how
MIT or Heimdal handles things so I can't trash Java too much for doing
it. Kerberos and DNS are so tightly coupled that dumping off DNS to
the system resolver just doesn't cut it. I think the only way to
provide proper DNS behavior for Java's Kerberos would be to actually
completely override it with a property like
sun.net.spi.nameservice.provider. Again, of course the property is
global and static so it will effect everything in the same ClassLoader
so your DNS implementation better be pretty solid.

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/



More information about the Kerberos mailing list