[jboss-user] [Security & JAAS/JBoss] - Re: Minimal JBoss config to use GSSAPI/Kerberos acceptSecCon

Tue, 03 Mar 2009 10:54:48 -0800 

Chris, if you're local to Silicon Valley, I just might buy you a lunch! I don't 
know where you found something that suggested specifying the GSS config as an 
<application-policy> entity, but that definitely worked for me. (I knew it had 
to be something in login-config.xml, but I wouldn't have guessed that this is 
how you do it. Genius!)

For my application, I have a custom Kerberos configuration, so I added the 
following lines in a run.conf file (used by run.sh):

# System properties for Kerberos / GSS
  | JAVA_OPTS="$JAVA_OPTS -Djava.security.krb5.conf=/path/to/krb5.conf"
  | JAVA_OPTS="$JAVA_OPTS -Djavax.security.auth.useSubjectCredsOnly=false"

Since my server uses a keytab file with many different principals (and acts as 
acceptor for any of them), my code doesn't need to directly connect to the KDC, 
so I eliminated some of those module options. Here's what I have (edited, of 
course)...

<application-policy name="com.sun.security.jgss.accept">
  |     <authentication>
  |         <login-module code="com.sun.security.auth.module.Krb5LoginModule" 
flag="required">
  |             <module-option name="realm">REALM.EXAMPLE.COM</module-option>
  |             <module-option name="isInitiator">false</module-option>
  |             <module-option name="useKeyTab">true</module-option>
  |             <module-option 
name="keyTab">/path/to/krb5.keytab</module-option> 
  |             <module-option name="storeKey">true</module-option> 
  |             <module-option name="doNotPrompt">true</module-option>
  |         </login-module>
  |     </authentication>
  | </application-policy>

I've actually found that I can do without the LoginContext song and dance. I 
don't know if it's because the servlet executing the code is SSL-secured, or if 
it's something else. In any case, in my code, right before I do step 5, I 
include this line of code to specify the principal from the keytab for which I 
need to retrieve a credential:

System.setProperty("sun.security.krb5.principal", principalName);

Thanks again, you've been a tremendous help. No more tearing my hair out and 
cursing the JBoss security manager!

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4214649#4214649

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4214649
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user

Reply via email to