Hello all,
I've come across a conversation between Colm and Zheng on this mailing list
from June and July 2016 titled "JWT pre-authentication - get JWT token on
service side" that touches upon the subject of extracting the token from the
sgt client side and sending it to the service.
The final suggestion was to use:
@Test
@org.junit.Ignore
public void testKerbyClientAndGssService() throws Exception {
KrbClient client = getKrbClient();
client.init();
try {
// Get a service ticket using Kerby APIs
TgtTicket tgt = client.requestTgt(getClientPrincipal(),
getClientPassword());
Assert.assertTrue(tgt != null);
SgtTicket tkt = client.requestSgt(tgt, getServerPrincipal());
Assert.assertTrue(tkt != null);
Credential credential = new Credential(tkt,
tgt.getClientPrincipal());
CredentialCache cCache = new CredentialCache();
cCache.addCredential(credential);
cCache.setPrimaryPrincipal(tgt.getClientPrincipal());
ByteArrayOutputStream bout = new ByteArrayOutputStream();
CredCacheOutputStream os = new CredCacheOutputStream(bout);
cCache.store(bout);
os.close();
// Now validate the ticket using GSS
validateServiceTicket(bout.toByteArray());
} catch (Exception e) {
e.printStackTrace();
Assert.fail();
}
}
But this does not seem to work on my system. I get same error Colm mentions:
GSSException: Defective token detected (Mechanism level: GSSHeader did not find
the right tag)
The same issue appears when I obtain it directly from
sgt.getTicket().encode()
Has there been an improvement in this regard? Is there any direct and simple
way to obtain the ticket client side using only Kerby API? If not, what is the
recommended approach at this time?
Btw. I encode the bytes using:
new String(Base64.getEncoder().encode(bout.toByteArray()),
StandardCharsets.UTF_8).replaceAll("\n", "");
and add them to the header under
Authorization: Negotiate + token
Cheers,
Kamil Krynicki
