Re: Kerberos auth
Re: Kerberos auth
- Subject: Re: Kerberos auth
- From: "Matthew W. Taylor" <email@hidden>
- Date: Mon, 24 Mar 2008 14:03:29 -0500
- Thread-topic: Kerberos auth
Another useful property to set when doing Kerberos authentication is the
path to a krb5.conf file...
System.setProperty("java.security.krb5.conf", "/path/to/krb5.conf");
This is particularly useful because Kerberos authentication can fail when
JAAS tries to use an encoding type not supported by the KDC (e.g. It may try
to use only DES when the KDC mandates triple-DES). JAAS actually supports a
number of encoding types, but to use any one of them specifically, you have
to use a krb5.conf file. For a list of encoding types supported with J2SE 5:
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/jgss-tiger.html
This parameter is specified by a number of "enctype" flags in the
libdefaults area of a standard krb5.conf file.
A krb5.conf file look like this:
[libdefaults]
default_realm = KRB.INSTITUTION.EDU
default_tkt_enctypes = des3-cbc-sha1-kd
default_tgs_enctypes = des3-cbc-sha1-kd
permitted_enctypes = des3-cbc-sha1-kd
[realms]
KRB.NORTHWESTERN.EDU = {
kdc = kdc.institution.edu:88
admin_server = kdc.institution.edu
kpasswd_server = kdc.institution.edu
}
-=- matt
Matthew W. Taylor
Multimedia Learning Center
Northwestern University
> From: Florijan Stamenkovic <email@hidden>
> Date: Mon, 24 Mar 2008 12:34:34 -0400
> To: Mike Schrag <email@hidden>
> Cc: Development WebObjects <email@hidden>
> Subject: Re: Kerberos auth
>
> Nice... We plan to authenticate our JC users both against Open
> Directory and the database. This looks like it should make my life
> easier when the time comes to implement it.
>
> Thanks,
> F
>
> On Mar 24, 2008, at 11:04, Mike Schrag wrote:
>
>> This is off-topic, but after digging around for quite a while (the
>> docs on this TOTALLY suck), if you need to do Kerberos
>> authentication from your app with JAAS + 1.5:
>>
>> package your.app;
>>
>> import java.io.IOException;
>>
>> import javax.security.auth.callback.Callback;
>> import javax.security.auth.callback.CallbackHandler;
>> import javax.security.auth.callback.NameCallback;
>> import javax.security.auth.callback.PasswordCallback;
>> import javax.security.auth.callback.UnsupportedCallbackException;
>> import javax.security.auth.login.LoginContext;
>> import javax.security.auth.login.LoginException;
>>
>> public class KerberosAuth {
>> public static void main(String[] args) {
>> String userName = "email@hidden";
>> char[] password = "mypassword".toCharArray();
>>
>> System.setProperty("java.security.auth.login.config",
>> KerberosAuth.class.getResource("/kerberos.conf").toExternalForm());
>> System.setProperty("java.security.krb5.realm", "MYREALM.COM");
>> System.setProperty("java.security.krb5.kdc", "mykdc.MYREALM.COM");
>> try {
>> LoginContext lc = new LoginContext("primaryLoginContext", new
>> UserNamePasswordCallbackHandler(userName, password));
>> lc.login();
>> System.out.println("KerberosAuth.main: " + lc.getSubject());
>> }
>> catch (LoginException le) {
>> le.printStackTrace();
>> }
>> }
>>
>> public static class UserNamePasswordCallbackHandler implements
>> CallbackHandler {
>> private String _userName;
>> private char[] _password;
>>
>> public UserNamePasswordCallbackHandler(String userName, char[]
>> password) {
>> _userName = userName;
>> _password = password;
>> }
>>
>> public void handle(Callback[] callbacks) throws IOException,
>> UnsupportedCallbackException {
>> for (Callback callback : callbacks) {
>> if (callback instanceof NameCallback && _userName != null) {
>> ((NameCallback) callback).setName(_userName);
>> }
>> else if (callback instanceof PasswordCallback && _password !
>> = null) {
>> ((PasswordCallback) callback).setPassword(_password);
>> }
>> }
>> }
>> }
>> }
>>
>> put kerberos.conf (in this example) inside your Sources folder with
>> the contents:
>>
>> primaryLoginContext {
>> com.sun.security.auth.module.Krb5LoginModule required client=true
>> useTicketCache=false;
>> };
>>
>> "java.security.auth.login.config" can map to a File or a URL.
>> Annoyingly it appears that it cannot map to the actual contents of
>> the file -- it has to be loaded from a URL, which seems completely
>> stupid to me (as does just about all of the JAAS/GSSAPI api's,
>> which were clearly written by "cryptography engineers" and not
>> "normal humans").
>>
>> I have not tried this against Active Directory, yet, just Open
>> Directory ... I'll be trying Active Directory soon and post with
>> info. One thing that's actually pretty damn slick is that if you
>> need this in a Java client application (i.e. non-web-app) you can
>> set "useTicketCache=true" and it will actually use your Kerberos
>> info from the OS ticket cache, which means it actually does proper
>> single sign-on. You can also combine this (which is what we plan
>> to do) with SPNEGO using mod_krb5 on Apache. So you can have
>> mod_krb5 do SPNEGO auth (and just read the user info from the
>> remote user header), and use this as a fall-back if the user is not
>> using a SPNEGO-compatible browser.
>>
>> ms
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Webobjects-dev mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>> 40mac.com
>>
>> This email sent to email@hidden
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
> du
>
> This email sent to email@hidden
>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden