I finally got it working. I had gotten a sample working in a small test Java
app. using the external config file brought in by
"-Djava.security.auth.login.config" per the Sun sample.
I believe I have confirmed that this usage is not the way to go with JBoss -
you need to use the same configuration properties of a
"com.sun.security.jgss.accept" that might be defined in such a config file, but
do it in the standard JBoss login-config.xml.
The three system property args needed are:
-Djava.security.krb5.realm=(your realm), -Djava.security.krb5.kdc=(your kdc
IP), and -Djavax.security.auth.useSubjectCredsOnly=false
(I'm passing these to the JVM via run.sh).
It turns out I was missing a few things in my login-config.xml
application-policy, that was the main source of may failure - also missing a
couple of steps in my code.
Here's what my policy looks like in login-config.xml:
<application-policy name = "com.sun.security.jgss.accept">
| <authentication>
| <login-module code="com.sun.security.auth.module.Krb5LoginModule"
| flag="required">
| <module-option name="debug">true</module-option>
| <module-option name="realm">MY.TEST.REALM.COM</module-option>
| <module-option name="kdc">10.1.6.100</module-option>
| <module-option name="useKeyTab">true</module-option>
| <module-option name="useTicketCache">true</module-option>
| <module-option name="doNotPrompt">true</module-option>
| <module-option
name="keyTab">/Library/sso/myservice/krb5.keytab</module-option>
| <module-option name="storeKey">true</module-option>
| <module-option
name="principal">myservice/10.1.6.22</module-option>
| </login-module>
| </authentication>
| </application-policy>
The options for "realm", "kdc", "keyTab" and "principal" are the values that
vary based on deployment and particular service.
In source, I found I needed to:
1. unmarshall the GSS context token I've received from the client into a byte
array
2. get a GSSManager instance
3. create a new LoginContext with:
new LoginContext("com.sun.security.jgss.accept");
4. Call login() on my LoginContext instance
5. Create a GSSCredentials instance with the manager, using
.createCredential(GSSCredential.ACCEPT_ONLY);
6. Create a GSSContext using the manager, passing the credentials just created
to .createContext(...)
7. Use the context to call .acceptSecContext:
gssCtx.acceptSecContext(gssContextBytes, 0, gssContextBytes.length);
Hopefully this is useful for someone else who's trying to achieve the same
thing.
- Chris
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4214309#4214309
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4214309
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
