Kerberos over HTTP
[235 byte] By [Laurent_Grangiera] at [2007-11-26 17:54:03] 
Hello,I need to find a Java library to be able to connect with HTTP to an Apache server which use the Kerberos (Negotiate) for authentification.Does anyone know something useful for me ?Thanks,Laurent
# 1
JDK 6 support this out of box. See http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab/part6.html#ninewangwja at 2007-7-9 5:07:05 >
# 2
Hi!
Thanks for your answer. I used the example to get a webpage protected with single sign-on (MS Outlook web access) and it works.
Now I'm trying to access to an Apache server protected with Kerberos / Negotiate.
My problem is that it seems to use my Windows XP ticket even if I put a "Authenticator.setDefault(new MyAuthenticator());" line and that MyAuthenticator returns the right username/password for the Apache server. I tried also to use Authenticator.requestPasswordAuthentication()... but then I don't know what to do with the PasswordAuthentification object returned.
My login.conf looks like :
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=false
doNotPrompt=false
principal="MY_REALM"
debug=true;
};
How can I force Java to get the username/password from authenticator ?
Any other idea about my problem ?
Thanks,
Laurent
Laurent_Grangiera at 2007-7-9 5:07:05 >
# 3
Your Apache server is in another Kerberos 5 realm other than the Windows Active Directory, right? You may need to specify the realm name and kdc of that realm with system properties. JRE should be able to retrieve tickets for that realm, and since you already specify useTicketCache=false and doNotPrompt=false, the username and password should be prompted for.
Also, you shouldn't specify "principal" in the JAAS login config file.
wangwja at 2007-7-9 5:07:05 >
# 4
You are right. The apache realm is different.
But I forgot to mention that I also put a krb5.conf file for Java :
[libdefaults]
default_realm = MY_REALM
dns_lookup_realm = false
dns_lookup_kdc = false
[domain_realm]
the-apache-server = MY_REALM
[realms]
MY_REALM = {
admin_server = the-apache-server
kdc = the-apache-server
}
Maybe something is wrong here ?
Note that my apache-server is also the Kerberos server (admin + kdc).
I also tried to set properties :
java -Djava.security.krb5.realm=MY_REALM -Djava.security.krb5.kdc=the-apache-server....
Nothing is working. Java is always using my Windows principal.
Is it possible that Java use a cache and that I should force it to reload or something like that ?
Laurent_Grangiera at 2007-7-9 5:07:05 >
# 5
Yes, Java always uses the cached ticket (without looking at other config. If you think this is wrong, just file a bug.).
So, there are 2 ways you can do:
1. Specify useTicketCache=false, then you need to always provide username/password in your application.
2. Run kinit first (with -J-Djava.security.krb5.realm=.... ...kdc=...) to retrieve a ticket from the realm of your Apache server. Java will try this file-based ticket before the native one.
My suggestion is that you use kinit to get a ticket and move it to another place, then, if you want to use the Windows Active Directory, this ticket won't be used. If you want to use the other Kerberos realm (where Apache lies), you can add "ticketCache=c:\my\cache\ticket" to your JAAS config file. Both with useTicketCache=true to achieve single sign-on.
Hope this helps.
wangwja at 2007-7-9 5:07:05 >
# 6
Read your post again. Do you mean Java uses your native cache even if you specify "useTicketCache=false"? That's so strange. It shouldn't use any kind of cache.wangwja at 2007-7-9 5:07:05 >
# 7
Thanks for your patience!I already tried solution 1 (see my login.conf file) but it doesn't ask me for the login/password.Laurent_Grangiera at 2007-7-9 5:07:05 >
# 8
Can you show your debug output? (specify -Dsun.security.krb5.debug=true)wangwja at 2007-7-9 5:07:05 >
# 9
Ooops!!! Sorry! That's so stupid...
My system properties were not set correctly!!!
So I was always using the krb5.ini configuration file from Windows!
Now it works better even if I can not connect to my KDC server (SocketTimeOutException)...
I will go on my investigation !
Laurent_Grangiera at 2007-7-9 5:07:05 >
Security New Topic
Security Hot Topic
Security
All Classified
- Archived Forums
- Enterprise & Remote Computing
- Java Essentials
- Desktop
- Core
- Solaris Operating System
- Security
- Database Connectivity
- Java Mobility Forums
- Web & Directory Servers
- Development Tools
- Application & Integration Servers
- Java HotSpot Virtual Machine
- Other Topics
- E-Mail, Calendar, & Collaboration
- Developer Tools
- General
- Administration Tools
- Sun Hardware
- Storage Forums
- Java Enterprise System
- StarOffice
- Open Source Technologies
- BigAdmin
- Real-Time
- Java Coding