[36224] in Kerberos
Re: Java code performing Kerberos password AuthN
daemon@ATHENA.MIT.EDU (Michael B Allen)
Thu Jun 26 23:07:13 2014
MIME-Version: 1.0
In-Reply-To: <783583777A0B2B4F9B03D97FFABAA2AC187DB6F4@exch-mbx01.exchange.upenn.edu>
Date: Thu, 26 Jun 2014 23:04:57 -0400
Message-ID: <CAGMFw4iTgoLWL4+2nbwk5M-wT1mBFCqG3vA=KEYCAV2O9zHt2w@mail.gmail.com>
From: Michael B Allen <ioplex@gmail.com>
To: Jorj Bauer <jorj@isc.upenn.edu>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, Jun 26, 2014 at 6:23 PM, Jorj Bauer <jorj@isc.upenn.edu> wrote:
> Maybe someone will show me a better way to do it in Java, for that matter.
Hi Jorj,
Note that you can dodge the jaas.conf by installaing your own
Configuration like:
class Krb5Configuration extends Configuration {
final Map options = new HashMap(4);
final AppConfigurationEntry[] entries = new AppConfigurationEntry[1];
Krb5Configuration() {
super();
entries[0] = new AppConfigurationEntry(
"com.sun.security.auth.module.Krb5LoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
options);
}
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
return entries;
}
public void refresh() {
}
}
Then create the config and install it like:
Krb5Configuration conf = new Krb5Configuration();
conf.setOption("doNotPrompt", "true");
conf.setOption("storeKey", "true");
conf.setOption("useKeyTab", "true");
conf.setOption("debug", "true");
conf.setOption("principal", spn);
conf.setOption("keyTab", keytab);
Configuration.setConfiguration(conf);
Now you can do JGSS stuff and it should use your config. A more
sophisticated implementation might augment the existing config from
the jaas.conf to minimize chances of breaking other krb5 users in the
same ClassLoader.
Java's builtin Kerberos implementation is a mess. Even if you override
the config file like above it's still global. No config should be
global - especially in a library. Last I checked you can't get a TGT
from a KerberosKey (keytab entry) on Windows. You have to use
Krb5LoginModule and actually go through a login with a plaintext
password first because they had to go through the Windows SSPI to
access the ccache. The API is horrible as evidenced by the flaming
hula hoops you had to go through to do anything remotely
sophisticated.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
