Question about Kerberos in J2EE

Mon Apr 26 14:45:26 EDT 2004

I have implemented Kerberos and JGSS in one of my previous applications to secured connection between GSSClient and GSSServer.  Here are my comments below...

Regards,
Andy D Mei
-----Original Message-----
From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf Of drcns
Sent: Thursday, April 22, 2004 2:21 AM
To: krbdev at mit.edu
Subject: Question about Kerberos in J2EE

hi,all

I have read through the Java GSS examples in sun's website and run it perfectly.My question is as flowing:

1.When GSSContext is established between GSS client and GSS Server,message can be sent upon the security context and the message is integrity protected. It is Ok. But how about method invocation? I mean that how to protect the method invocation from the GSSClient to the GSSServer using the established GSSContext.
[Andy M] You could create your own RMIServerFactory and RMIClientFactory, and then use GSSContext wrap and unwrap to encrypt every marshal rmi method call across wire.

2.In J2EE environment with Kerberos, we should take the Web Application as the GSSClient and other external kerberized service as the GSSServer.That is when client browser access the web application,UID and Password are sent to the Web Application over SSL and the Web Application get TGT from KDC.Then Web Aplication retrieve Service Ticket for the external kerberized service from the KDC and thus the GSSContext is built between the Web Application and the external kerberized service.This is what I think about kerberos in J2EE Application. Is it right? If it is right, how can I cache the TGT(Credential ) in such scenario when so many different brower client access the Web Application? 
[Andy M] There is many ways to cache the TGT, the simple way to do it is just cache the ticket within session. Be careful with expiration time on the TGT though.

Is it the right place to post my message.Your help will be greatly appreciated.Thanks!
========================================================
ÊÇÓÊ¼þÄãÊÕ ÓÐ²¡¶¾ÎÒÉÏ£¡VIPÓÊÏä È«Ãæ±£»¤£¡            http://vip.163.com
ÖÐ¹ú×î´óµÄÃâ·ÑÓÊÏäÔÚµÈÄã 25Õ×¿Õ¼ä4Õ×¸½¼þ£¡¡¡¡¡¡¡¡¡¡¡ http://mail.163.com
µã»÷ÍøÒ×ÅÝÅÝ¾ªÏ²ÎÞÏÞ È«Ãâ·ÑÊÖ»ú¶ÌÐÅÈÎÄã·¢!¡¡¡¡¡¡¡¡¡¡¡¡http://popo.163.com
_______________________________________________
krbdev mailing list             krbdev at mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev