[jboss-user] [Security & JAAS/JBoss] - Re: Minimal JBoss config to use GSSAPI/Kerberos acceptSecCon

I finally got it working. I had gotten a sample working in a small test Java app. using the external config file brought in by "-Djava.security.auth.login.config" per the Sun sample. I believe I have confirmed that this usage is not the way to go with JBoss - you need to use the same configuration properties of a "com.sun.security.jgss.accept" that might be defined in such a config file, but do it in the standard JBoss login-config.xml. The three system property args needed are: -Djava.security.krb5.realm=(your realm), -Djava.security.krb5.kdc=(your kdc IP), and -Djavax.security.auth.useSubjectCredsOnly=false (I'm passing these to the JVM via run.sh). It turns out I was missing a few things in my login-config.xml application-policy, that was the main source of may failure - also missing a couple of steps in my code. Here's what my policy looks like in login-config.xml: <application-policy name = "com.sun.security.jgss.accept"> | <authentication> | <login-module code="com.sun.security.auth.module.Krb5LoginModule" | flag="required"> | <module-option name="debug">true</module-option> | <module-option name="realm">MY.TEST.REALM.COM</module-option> | <module-option name="kdc">10.1.6.100</module-option> | <module-option name="useKeyTab">true</module-option> | <module-option name="useTicketCache">true</module-option> | <module-option name="doNotPrompt">true</module-option> | <module-option name="keyTab">/Library/sso/myservice/krb5.keytab</module-option> | <module-option name="storeKey">true</module-option> | <module-option name="principal">myservice/10.1.6.22</module-option> | </login-module> | </authentication> | </application-policy> The options for "realm", "kdc", "keyTab" and "principal" are the values that vary based on deployment and particular service. In source, I found I needed to: 1. unmarshall the GSS context token I've received from the client into a byte array 2. get a GSSManager instance 3. create a new LoginContext with: new LoginContext("com.sun.security.jgss.accept"); 4. Call login() on my LoginContext instance 5. Create a GSSCredentials instance with the manager, using .createCredential(GSSCredential.ACCEPT_ONLY); 6. Create a GSSContext using the manager, passing the credentials just created to .createContext(...) 7. Use the context to call .acceptSecContext: gssCtx.acceptSecContext(gssContextBytes, 0, gssContextBytes.length); Hopefully this is useful for someone else who's trying to achieve the same thing. - Chris View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4214309#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...