You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Filip Hanik - Dev Lists <de...@hanik.com> on 2011/04/20 22:00:12 UTC
SpnegoAuthenticator feedback
Here are some thoughts on the implementation
1. |com.sun.security.jgss.initiate is not needed
This definition is not needed in jaas.conf. Tomcat is not a client in this case, it's a server accepting tickets.
the .initiate is only for clients that request a Kerberos ticket from the KDC.
The example works fine removing this entry all together.
2. com.sun.security.jgss.krb5.accept is not configurable
While the authenticator has the attribute loginConfigName, there seems to be a place in the code where it omits this entry.
renaming this entry in jaas.conf and setting the loginConfigName will fail to validate a ticket
The problem code is here:
gssContext = manager.createContext(manager.createCredential(null,
GSSCredential.DEFAULT_LIFETIME,
new Oid("1.3.6.1.5.5.2"),
GSSCredential.ACCEPT_ONLY));
should look like
final GSSManager manager = GSSManager.getInstance();
final PrivilegedExceptionAction<GSSCredential> action =
new PrivilegedExceptionAction<GSSCredential>() {
public GSSCredential run() throws GSSException {
return manager.createCredential(null,
GSSCredential.DEFAULT_LIFETIME,
new Oid("1.3.6.1.5.5.2"),
GSSCredential.ACCEPT_ONLY);
}
};
gssContext = manager.createContext(Subject.doAs(lc.getSubject(), action));||
best
Filip
|
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: SpnegoAuthenticator feedback
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
On 4/21/2011 3:09 AM, Mark Thomas wrote:
> On 20/04/2011 21:00, Filip Hanik - Dev Lists wrote:
>> Here are some thoughts on the implementation
> Thanks for the feedback.
>
>> 1. |com.sun.security.jgss.initiate is not needed
>> This definition is not needed in jaas.conf. Tomcat is not a client in
>> this case, it's a server accepting tickets.
>> the .initiate is only for clients that request a Kerberos ticket from
>> the KDC.
>> The example works fine removing this entry all together.
> I think this will be required when we add support for using the server's
> delegated credentials to connect to the directory to retrieve user
> roles. I'll check this when I implement it and will remove it if I can.
yes, if you want tomcat to act as a client.
Acting like a client will mean a few different things, like
- configuring the module name for the client
- I'm pretty sure the configuration will be different here, you should not need a keytab or principal, you're a client in this case.
>> 2. com.sun.security.jgss.krb5.accept is not configurable
>> While the authenticator has the attribute loginConfigName, there seems
>> to be a place in the code where it omits this entry.
>> renaming this entry in jaas.conf and setting the loginConfigName will
>> fail to validate a ticket
> Thanks. I'll add a BZ entry for this. I should be able to get to in in
> time for 7.0.13 (unless someone beats me to it).
much appreciated
Filip
> Mark
>
>> The problem code is here:
>>
>> gssContext =
>> manager.createContext(manager.createCredential(null,
>> GSSCredential.DEFAULT_LIFETIME,
>> new Oid("1.3.6.1.5.5.2"),
>> GSSCredential.ACCEPT_ONLY));
>>
>> should look like
>> final GSSManager manager = GSSManager.getInstance();
>> final PrivilegedExceptionAction<GSSCredential> action =
>> new PrivilegedExceptionAction<GSSCredential>() {
>> public GSSCredential run() throws GSSException {
>> return manager.createCredential(null,
>> GSSCredential.DEFAULT_LIFETIME,
>> new Oid("1.3.6.1.5.5.2"),
>> GSSCredential.ACCEPT_ONLY);
>> }
>> };
>> gssContext =
>> manager.createContext(Subject.doAs(lc.getSubject(), action));||
>>
>>
>> best
>> Filip
>> |
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 10.0.1321 / Virus Database: 1500/3586 - Release Date: 04/20/11
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: SpnegoAuthenticator feedback
Posted by Mark Thomas <ma...@apache.org>.
On 20/04/2011 21:00, Filip Hanik - Dev Lists wrote:
> Here are some thoughts on the implementation
Thanks for the feedback.
> 1. |com.sun.security.jgss.initiate is not needed
> This definition is not needed in jaas.conf. Tomcat is not a client in
> this case, it's a server accepting tickets.
> the .initiate is only for clients that request a Kerberos ticket from
> the KDC.
> The example works fine removing this entry all together.
I think this will be required when we add support for using the server's
delegated credentials to connect to the directory to retrieve user
roles. I'll check this when I implement it and will remove it if I can.
> 2. com.sun.security.jgss.krb5.accept is not configurable
> While the authenticator has the attribute loginConfigName, there seems
> to be a place in the code where it omits this entry.
> renaming this entry in jaas.conf and setting the loginConfigName will
> fail to validate a ticket
Thanks. I'll add a BZ entry for this. I should be able to get to in in
time for 7.0.13 (unless someone beats me to it).
Mark
>
> The problem code is here:
>
> gssContext =
> manager.createContext(manager.createCredential(null,
> GSSCredential.DEFAULT_LIFETIME,
> new Oid("1.3.6.1.5.5.2"),
> GSSCredential.ACCEPT_ONLY));
>
> should look like
> final GSSManager manager = GSSManager.getInstance();
> final PrivilegedExceptionAction<GSSCredential> action =
> new PrivilegedExceptionAction<GSSCredential>() {
> public GSSCredential run() throws GSSException {
> return manager.createCredential(null,
> GSSCredential.DEFAULT_LIFETIME,
> new Oid("1.3.6.1.5.5.2"),
> GSSCredential.ACCEPT_ONLY);
> }
> };
> gssContext =
> manager.createContext(Subject.doAs(lc.getSubject(), action));||
>
>
> best
> Filip
> |
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org