What purpose has Java GSS? What do I need it for, SSO?
Hey,
I am working on a single sign-on solution for smart clients (written in Java). Kerberos authentication with JAAS works fine, but what is the Java GSS API for? That - according to some Tutorials like "Single Sign-on Using Kerberos in Java" - is supposed to be executed in the Subject's doAs method.
I thought it's enough if I execute my actual application in the doAs method cause authentication already took place at this point!
Secondly, I am not quite sure what sense the client/server classes have. Is the client class the application I want to start with SSO and the server class the one that the client asks for authentication?
Does the server class have to run on my Win2k server where the AD is?
Sorry for this newbie question, but I am really wondering if I need this and if yes, what do I need it for!
Thanks!
Message was edited
# 1
You can think of GSS as a standard API for a variety of security mechanisms, Kerberos being the most popular.Kerberos does not have a standard API -- Microsoft's AD has one, MIT has a different one, etc.GSS-API serves as the standard across these implementations.
This is also why SPNEGO is based on the GSS API concepts.
JAAS is the framework for authentication & authorization, GSS API is an API for the specific mechanism being used to, for example, verify credentials.
# 2
alright, now I know what I actually can do with GSS. We have Java Apps loaded by Java Webstart, so the Client opens a GSS connection to the Server to authenticate itself, which enables SSO.
My problem is the server side:
serverName = manager.createName("serverPrinc@mycompany.org", GSSName.NT_USER_NAME);
serverCreds = manager.createCredential(serverName, GSSCredential.INDEFINITE_LIFETIME,
new Oid("1.2.840.113554.1.2.2"), GSSCredential.ACCEPT_ONLY);
results in:
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
at org.germanlloyd.fw1.sso.server.SSOServerImpl.run(SSOServerImpl.java:80)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.germanlloyd.fw1.sso.server.TestAppServer.main(TestAppServer.java:28)
There seems to be a connection between my User's credentials and GSSCredential.ACCEPT_ONLY! If I use GSSCredential.INITIATE_ONLY, the error does not occur and I can see the credentials (but since this is the server, I get GSSException: 1.2.840.113554.1.2.2 usage: Accept
). Using GSSName.NT_HOSTBASED_SERVICE has no effect.
My server principal is an ordinary standard user in Active Directory, might this be the problem that credentials are returned, that are not valid to be the acceptor?
It would be very nice to get some help as I'm not really sure if the error comes from my or the AD side!
(I am using the tutorials at http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/single-signon.html and http://www-128.ibm.com/developerworks/java/library/j-gss-sso/)
# 3
It works! Googling helps (sometimes) in this context: http://swjscmail1.java.sun.com/cgi-bin/wa?A2=ind0109&L=java-security&D=1&T=0&F=&S=&P=9524, the option storeKey=true is needed in the jaas.conf to store the server's key in the Subject. BTW, closing the socket in the server side is not a bad idea either...
Anyways, when is single sign-on really achieved, i.e. what do I do if Subject.doAs returns a valid GSSContext? Starting the actual application?
