On 4/21/2011 3:09 AM, Mark Thomas wrote:
On 20/04/2011 21:00, Filip Hanik - Dev Lists wrote:
Here are some thoughts on the implementation
Thanks for the feedback.
1. |com.sun.security.jgss.initiate is not needed
This definition is not needed in jaas.conf. Tomcat is not a client in
this case, it's a server accepting tickets.
the .initiate is only for clients that request a Kerberos ticket from
the KDC.
The example works fine removing this entry all together.
I think this will be required when we add support for using the server's
delegated credentials to connect to the directory to retrieve user
roles. I'll check this when I implement it and will remove it if I can.
yes, if you want tomcat to act as a client.
Acting like a client will mean a few different things, like
- configuring the module name for the client
- I'm pretty sure the configuration will be different here, you should not need
a keytab or principal, you're a client in this case.
2. com.sun.security.jgss.krb5.accept is not configurable
While the authenticator has the attribute loginConfigName, there seems
to be a place in the code where it omits this entry.
renaming this entry in jaas.conf and setting the loginConfigName will
fail to validate a ticket
Thanks. I'll add a BZ entry for this. I should be able to get to in in
time for 7.0.13 (unless someone beats me to it).
much appreciated
Filip
Mark
The problem code is here:
gssContext =
manager.createContext(manager.createCredential(null,
GSSCredential.DEFAULT_LIFETIME,
new Oid("1.3.6.1.5.5.2"),
GSSCredential.ACCEPT_ONLY));
should look like
final GSSManager manager = GSSManager.getInstance();
final PrivilegedExceptionAction<GSSCredential> action =
new PrivilegedExceptionAction<GSSCredential>() {
public GSSCredential run() throws GSSException {
return manager.createCredential(null,
GSSCredential.DEFAULT_LIFETIME,
new Oid("1.3.6.1.5.5.2"),
GSSCredential.ACCEPT_ONLY);
}
};
gssContext =
manager.createContext(Subject.doAs(lc.getSubject(), action));||
best
Filip
|
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1321 / Virus Database: 1500/3586 - Release Date: 04/20/11
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org