Wednesday, April 23, 2014

Kerberos Java Client: Adding Multi user support

I've written two blog posts on connecting to Kerberos clients using the JCraft library using Java.
In those posts, I've only allowed single user support by using a static login configuration file ( jaas.conf).

To allow multi user support, you have to provide the login configurations for Java programmatically, instead of setting it as a environment variable.
To do this we need to have a configuration object with the relevant settings that were in the login.conf file. We have to create that object extending the javax.security.auth.login.Configuration class.

Here's an example java class.

public class JaaSConfiguration   extends javax.security.auth.login.Configuration {
    private Map BASIC_JAAS_OPTIONS =
            new HashMap();

    private Map USER_KERBEROS_OPTIONS =
            new HashMap();

    private String ticketCache;

    // provide the ticket location in the constructor
    public JaaSConfiguration(String ticketCache) {
        this.ticketCache = ticketCache;
        System.out.println("TicketCache: "+ticketCache);
        init();
    }

    private void init()
    {
     
        USER_KERBEROS_OPTIONS.put("useDefaultCache", "true");
        USER_KERBEROS_OPTIONS.put("doNotPrompt", "true");
        USER_KERBEROS_OPTIONS.put("useTicketCache", "true");
        USER_KERBEROS_OPTIONS.put("debug", "true");
        
        USER_KERBEROS_OPTIONS.put("ticketCache", ticketCache);
        USER_KERBEROS_OPTIONS.put("renewTGT", "true");

    }

    private AppConfigurationEntry USER_KERBEROS_LOGIN =
            new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
                    AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
                    USER_KERBEROS_OPTIONS);

    private AppConfigurationEntry[] SIMPLE_CONF =
            new AppConfigurationEntry[]{USER_KERBEROS_LOGIN};

    @Override
    public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
        return SIMPLE_CONF;
    }
   


}

Now that you have the extended class, you have to specify before you start the session, where to look for the login configurations ( instead of setting it as a system variable)


javax.security.auth.login.Configuration.setConfiguration(new JaaSConfiguration(ticketCache));

notice that, in the constructor, you have to provide the ticket location of each user.

After that you are good to go.

No comments:

Post a Comment