Reputation: 321
How does GSSManager.createCredential get the Kerberos key and TGT?
I have the following scenario: I have a server that runs inside an Oracle database (with Java SE 6) that connects to a web service, using the Apache HTTP client (in Java). The web service needs to be protected using Kerberos, i.e. with SPNEGO authentication.
My server has a Kerberos principal, with a random key exported to a keytab, and then imported into a database table. So I have a KerberosPrincipal with a number of associated KerberosKey objects (one for each encryption method), all that information I have collected in a Subject.
I expect that the next step is to contact the KDC in order to get the TGT and store it in the Subject. How do I do that? All the documentation I have found on this assumes that this happens in a login module, but there is no login in my scenario. Or will one of the below call the KDC for me?
Now i need to call GSSManager.createCredential to create a GSSCredential which I can wrap into a KerberosCredentials and a BasicCredentialsProvider that I can add to the HttpClientContext, so the HttpClient can do the SPNEGO authentication.
But how do I get info in my Subject into the GSSCredential?
Upvotes: 1
Views: 2192
Answers (1)
Reputation: 321
After digging around the web for about a week, I finally found the answer here. Snippet from that doc:
- The application invokes a JAAS login, which in turn invokes the configured Krb5LoginModule
- Krb5LoginModule obtains a TGT (KerberosTicket) for the user either from the KDC or from an existing ticket cache, and stores this TGT in the private credentials set of a Subject
- The application retrieves the populated Subject, then calls Subject.doAs/doAsPrivileged which places this Subject on the access control context of the thread executing ClientAction
- ClientAction calls the GSSManager.createCredential method, passing it the Kerberos V5 OID in desiredMechs.
- GSSManager.createCredential invokes the Kerberos V5 GSS-API provider, asking for a Kerberos credential for initiating security contexts.
- The Kerberos provider obtains the Subject from the current access control context, and searches through its private credential set for a valid KerberosTicket that represents the TGT for the user.
- The KerberosTicket is returned to the GSSManager which stores it in a GSSCredential container instance to be returned to the caller.
Upvotes: 3
Related Questions
- How to get an enum value from a string value in Java
- What are the differences between a HashMap and a Hashtable in Java?
- How do I declare and initialize an array in Java?
- What is the difference between public, protected, package-private and private in Java?
- In detail, how does the 'for each' loop work in Java?
- How does a browser get Kerberos TGT and Service ticket
- Exception - Client not found in Kerberos database (6) with spnego-Kerberos IWA
- Does a finally block always get executed in Java?
- How to implement kerberos authentication with login/password?