[jboss-user] [Security & JAAS/JBoss] - Re: Minimal JBoss config to use GSSAPI/Kerberos acceptSecCon

quinntaylor do-not-reply at jboss.com
Tue Mar 3 13:53:13 EST 2009 

Chris, if you're local to Silicon Valley, I just might buy you a lunch! I don't know where you found something that suggested specifying the GSS config as an <application-policy> entity, but that definitely worked for me. (I knew it had to be something in login-config.xml, but I wouldn't have guessed that this is how you do it. Genius!)

For my application, I have a custom Kerberos configuration, so I added the following lines in a run.conf file (used by run.sh):

# System properties for Kerberos / GSS
  | JAVA_OPTS="$JAVA_OPTS -Djava.security.krb5.conf=/path/to/krb5.conf"
  | JAVA_OPTS="$JAVA_OPTS -Djavax.security.auth.useSubjectCredsOnly=false"

Since my server uses a keytab file with many different principals (and acts as acceptor for any of them), my code doesn't need to directly connect to the KDC, so I eliminated some of those module options. Here's what I have (edited, of course)...

<application-policy name="com.sun.security.jgss.accept">
  |     <authentication>
  |         <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
  |             <module-option name="realm">REALM.EXAMPLE.COM</module-option>
  |             <module-option name="isInitiator">false</module-option>
  |             <module-option name="useKeyTab">true</module-option>
  |             <module-option name="keyTab">/path/to/krb5.keytab</module-option> 
  |             <module-option name="storeKey">true</module-option> 
  |             <module-option name="doNotPrompt">true</module-option>
  |         </login-module>
  |     </authentication>
  | </application-policy>

I've actually found that I can do without the LoginContext song and dance. I don't know if it's because the servlet executing the code is SSL-secured, or if it's something else. In any case, in my code, right before I do step 5, I include this line of code to specify the principal from the keytab for which I need to retrieve a credential:

System.setProperty("sun.security.krb5.principal", principalName);

Thanks again, you've been a tremendous help. No more tearing my hair out and cursing the JBoss security manager!

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4214649#4214649

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4214649

More information about the jboss-user mailing list