Issue with SPNEGO authenticator

Arunav Sanyal Fri, 08 Nov 2013 02:16:52 -0800

Hi

Our company has a use case in which our domain is a tomcat process. In our
code, we support a parallel protocol which uses In memory based jaas
configuration -


public class OurLoginConfiguration extends Configuration

In IBM JDK 7, we need to initiate using keytab which needs the system
property javax.security.auth.useSubjectCredsOnly to be set to true for it
to work. However Tomcat sets it in

 protected void initInternal() throws LifecycleException {
        super.initInternal();

        // Kerberos configuration file location
        String krb5Conf = System.getProperty(Constants.KRB5_CONF_PROPERTY);
        if (krb5Conf == null) {
            // System property not set, use the Tomcat default
            File krb5ConfFile = new File(Bootstrap.getCatalinaBase(),
                    Constants.DEFAULT_KRB5_CONF);
            System.setProperty(Constants.KRB5_CONF_PROPERTY,
                    krb5ConfFile.getAbsolutePath());
        }

        // JAAS configuration file location
        String jaasConf = System.getProperty(Constants.JAAS_CONF_PROPERTY);
        if (jaasConf == null) {
            // System property not set, use the Tomcat default
            File jaasConfFile = new File(Bootstrap.getCatalinaBase(),
                    Constants.DEFAULT_JAAS_CONF);
            System.setProperty(Constants.JAAS_CONF_PROPERTY,
                    jaasConfFile.getAbsolutePath());
        }

        // This property must be false for SPNEGO to work
        System.setProperty(Constants.USE_SUBJECT_CREDS_ONLY_PROPERTY,
"false");
    }

as false in the last line which causes havoc in the code.

Now a little more investigation revealed that tomcat acts only as an
acceptor. Now this property need not necessarily be set to false for it to
work(in both IBM and SUN JDK).

Source of claim -
http://cr.openjdk.java.net/~weijun/special/krb5winguide-2/raw_files/new/kwin

Excerpt:-

 2. Direct JGSS:

      /* JGSS-API calls... */

       In this case, the JAAS config file's entry name MUST be the
       standard entry name (com.sun.security.jgss.krb5.initiate), and you
       must set -Djavax.security.auth.useSubjectCredsOnly=false on the
       Java command line. Read
       [26]http://java.sun.com/javase/6/docs/technotes/guides/security/jgs
       s/tutorials/BasicClientServer.html for details.


This is also confirmed in IBM with a sample program.

Is it possible to remove the last line of the function. What kind of impact
it will have. I dont envisage a case in which existing functionality can
break.

Yours sincerely

-- 

Arunav Sanyal
Graduate student
B.E (Hons) Computer Science
BITS Pilani K.K Birla Goa Campus

Software Engineer
INFORMATICA BUSINESS SOLUTIONS

Issue with SPNEGO authenticator

Reply via email to