[jboss-user] [Security & JAAS/JBoss] - Re: Minimal JBoss config to use GSSAPI/Kerberos acceptSecCon
chriscorbell
do-not-reply at jboss.com
Mon Mar 2 16:54:37 EST 2009
I finally got it working. I had gotten a sample working in a small test Java app. using the external config file brought in by "-Djava.security.auth.login.config" per the Sun sample.
I believe I have confirmed that this usage is not the way to go with JBoss - you need to use the same configuration properties of a "com.sun.security.jgss.accept" that might be defined in such a config file, but do it in the standard JBoss login-config.xml.
The three system property args needed are:
-Djava.security.krb5.realm=(your realm), -Djava.security.krb5.kdc=(your kdc IP), and -Djavax.security.auth.useSubjectCredsOnly=false
(I'm passing these to the JVM via run.sh).
It turns out I was missing a few things in my login-config.xml application-policy, that was the main source of may failure - also missing a couple of steps in my code.
Here's what my policy looks like in login-config.xml:
<application-policy name = "com.sun.security.jgss.accept">
| <authentication>
| <login-module code="com.sun.security.auth.module.Krb5LoginModule"
| flag="required">
| <module-option name="debug">true</module-option>
| <module-option name="realm">MY.TEST.REALM.COM</module-option>
| <module-option name="kdc">10.1.6.100</module-option>
| <module-option name="useKeyTab">true</module-option>
| <module-option name="useTicketCache">true</module-option>
| <module-option name="doNotPrompt">true</module-option>
| <module-option name="keyTab">/Library/sso/myservice/krb5.keytab</module-option>
| <module-option name="storeKey">true</module-option>
| <module-option name="principal">myservice/10.1.6.22</module-option>
| </login-module>
| </authentication>
| </application-policy>
The options for "realm", "kdc", "keyTab" and "principal" are the values that vary based on deployment and particular service.
In source, I found I needed to:
1. unmarshall the GSS context token I've received from the client into a byte array
2. get a GSSManager instance
3. create a new LoginContext with:
new LoginContext("com.sun.security.jgss.accept");
4. Call login() on my LoginContext instance
5. Create a GSSCredentials instance with the manager, using
.createCredential(GSSCredential.ACCEPT_ONLY);
6. Create a GSSContext using the manager, passing the credentials just created to .createContext(...)
7. Use the context to call .acceptSecContext:
gssCtx.acceptSecContext(gssContextBytes, 0, gssContextBytes.length);
Hopefully this is useful for someone else who's trying to achieve the same thing.
- Chris
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4214309#4214309
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4214309
More information about the jboss-user
mailing list