How to pass kerberos ticket at api level?
Hi,
Am relatively new in the domain of Java Security, JAAS and JGSS. After reading the tutorials and examples, I was able to do authentication and message transfer using Kerberos LoginModule. All the examples demonstrates message transfer and credential passing at socket level.
But in normal scenario's a server application exposes its APIs and the clients invokes remote methods on the server instead of sending data at a socket level.
My question is can I use kerberos and JGSS to pass security context at api level without adding an arguement for security context in each api call?
In simple terms, Is it possible to implicitly pass user credential's to server at each api call instead of exchanging/encrypting data at socket level?
Is there any other mechanism that meets this kind of requirement?
Thanks,
Kapil
Using JAAS and GSS is to authinticate your logged in information against LDAP, this is the way to authinticate against windows login.in a simple way by using JAAS + GSS you are authinticating against the current logged in information used i.e by windows credintial against LDAP.
If you need to pass Kerberos credentials to the server, you need to
delegate credentials.
Ensure you have a valid forwardable TGT, enable delegation at the client-end.
context.requestCredDeleg(true);
At the server-end you can obtained delegated credential after GSS context
has been established.
context.getDelegCred();
Seema
Seema, could you please elaborate on how GSS context is established?
The examples show that context is established after series of message passing between client and server inside a while loop
while (!peerContext.isEstablished()) {
byteToken = peerContext.initSecContext(byteToken, 0, byteToken.length);
if (byteToken != null) {
outStream.writeInt(byteToken.length);
outStream.write(byteToken );
outStream.flush();
}//if
if (!peerContext.isEstablished()) {
byteToken = new byte[inStream.readInt()];
inStream.readFully(byteToken );
}//if
}//while (!peerContext...)
Is there any other way to establish GSS context ?
Thanks & Regards,
Kapil
The GSS client and server do need to exchange tokens in order to establish a
security context, as per the GSSAPI specification. This is required to achieve
successful authentication.
GSSAPI generates tokens, it's the application's responsibility to send the tokens
to the peer. Application can decide how to send the tokens to the peer.
You can refer to RFC 2853 for details.
Seema
kapilgupta77, you need to investigate your application protocol/API for a means to do this transparently. For example, in CORBA, custom hooks (interceptors) can be installed to transparently attach a credential to a method invocation. The same is true for Axis (handlers).
