[36226] in Kerberos
Re: Java code performing Kerberos password AuthN
daemon@ATHENA.MIT.EDU (Michael B Allen)
Fri Jun 27 12:59:59 2014
MIME-Version: 1.0
In-Reply-To: <783583777A0B2B4F9B03D97FFABAA2AC187DBA6B@exch-mbx01.exchange.upenn.edu>
Date: Fri, 27 Jun 2014 12:59:44 -0400
Message-ID: <CAGMFw4jLhfMTQLHcbbabBOEkD6edL_Cgje_WFKSFEqKxdbsVvw@mail.gmail.com>
From: Michael B Allen <ioplex@gmail.com>
To: Jorj Bauer <jorj@isc.upenn.edu>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, Jun 27, 2014 at 10:06 AM, Jorj Bauer <jorj@isc.upenn.edu> wrote:
>> Note that you can dodge the jaas.conf by installaing your own
>> Configuration like:
>
> Thanks for the comment. I know about this, generally speaking - it's what I was alluding to in the README:
>
>> (There is probably
>> a more complex Configuration object setup that could be performed here
>> to populate the settings programmatically; I chose to not go down that
>> road due to complexity of the code that might be required.)
>
> Specifically - and maybe you can help here - I have two concerns about that approach.
>
> First: there are two different configurations in jaas.conf (one for client and one for server behavior). I presume it's possible to construct a programmatic configuration that adds both, but I haven't thought about how.
Hi Jorj,
It's been a while since I looked at any of this. So I'm actually
drawing a blank on the client vs server conf. Not sure.
> Second: setting the realm and/or KDC using System.setProperty java.security.krb5.realm and/or java.security.krb5.kdc, I wasn't able (in my limited testing) to make it perform failover when the primary was unreachable. Seeing that it worked fine with krb5.conf, I decided to punt, choosing functionality over form.
Ah yes, this is another gem. There are so many problems with DNS
relative to Java's Kerberos I don't want to get into it. Having the
realm come out of the krb5.conf isn't a complete disaster since that
might actually be set properly and wouldn't be something you would
want to change I would think. At least this is no different from how
MIT or Heimdal handles things so I can't trash Java too much for doing
it. Kerberos and DNS are so tightly coupled that dumping off DNS to
the system resolver just doesn't cut it. I think the only way to
provide proper DNS behavior for Java's Kerberos would be to actually
completely override it with a property like
sun.net.spi.nameservice.provider. Again, of course the property is
global and static so it will effect everything in the same ClassLoader
so your DNS implementation better be pretty solid.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
