[jboss-user] [Security & JAAS/JBoss] - Re: Minimal JBoss config to use GSSAPI/Kerberos acceptSecCon

Mon Mar 2 16:54:37 EST 2009

I finally got it working.  I had gotten a sample working in a small test Java app. using the external config file brought in by "-Djava.security.auth.login.config" per the Sun sample.

I believe I have confirmed that this usage is not the way to go with JBoss - you need to use the same configuration properties of a "com.sun.security.jgss.accept" that might be defined in such a config file, but do it in the standard JBoss login-config.xml.

The three system property args needed are:
-Djava.security.krb5.realm=(your realm), -Djava.security.krb5.kdc=(your kdc IP), and -Djavax.security.auth.useSubjectCredsOnly=false
(I'm passing these to the JVM via run.sh).

It turns out I was missing a few things in my login-config.xml application-policy, that was the main source of may failure - also missing a couple of steps in my code.

Here's what my policy looks like in login-config.xml:

<application-policy name = "com.sun.security.jgss.accept">
  |    <authentication>
  |       <login-module code="com.sun.security.auth.module.Krb5LoginModule"
  | 				flag="required">
  |          <module-option name="debug">true</module-option> 
  |          <module-option name="realm">MY.TEST.REALM.COM</module-option>
  |          <module-option name="kdc">10.1.6.100</module-option>
  |          <module-option name="useKeyTab">true</module-option>
  |          <module-option name="useTicketCache">true</module-option> 
  |          <module-option name="doNotPrompt">true</module-option>
  |          <module-option name="keyTab">/Library/sso/myservice/krb5.keytab</module-option> 
  |          <module-option name="storeKey">true</module-option> 
  |          <module-option name="principal">myservice/10.1.6.22</module-option> 
  |       </login-module>
  |    </authentication>
  | </application-policy>

The options for "realm", "kdc", "keyTab" and "principal" are the values that vary based on deployment and particular service.

In source, I found I needed to:
1. unmarshall the GSS context token I've received from the client into a byte array
2. get a GSSManager instance
3. create a new LoginContext with:
   new LoginContext("com.sun.security.jgss.accept");
4. Call login() on my LoginContext instance
5. Create a GSSCredentials instance with the manager, using
  .createCredential(GSSCredential.ACCEPT_ONLY);
6. Create a GSSContext using the manager, passing the credentials just created to .createContext(...)
7. Use the context to call .acceptSecContext:
  gssCtx.acceptSecContext(gssContextBytes, 0, gssContextBytes.length);

Hopefully this is useful for someone else who's trying to achieve the same thing.

- Chris

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4214309#4214309

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4214309