Login/Register
Kerberos Auth with JAAS and multiple realms
Asked Answered
kerberosjaas
D

1

6

All,

Can anybody provide advice on how to use the JAAS LoginContext to do an authentication against multiple KDC/Realm combination. In other words, if attempt 1 fails against realm A, try realm B.

Something like the pseudo-code below.

As always, any help is greatly appreciated.

view plaincopy to clipboardprint?

[realms]   
  some.address.for.auth.one  
  {  
     kdc = some.address.one  
  }  

  some.address.for.auth.two  
  {  
     kdc = some.address.two  
  }  

boolean loginSuccess = false;  

try  
{  
   LoginContext lc = new LoginContext(...);  
   //Try Realm 1  
   lc.login();  
   loginSuccess = true;  
}  
catch(LoginException le)  
{  
  try  
  {  
     LoginContext lc2 = new LoginContext(...);  
     //Try Realm 2  
     lc2.login();  
     loginSuccess = true;  
  }  
  catch(LoginException le)  
  {  
     //...  
  }  
}  

return loginSuccess;
Delao answered 29/11, 2012 at 13:32 Comment(3)
Did you actually try your code?Spireme
You mean the pseudo code above? No, but I've ran several variations. I may not fully understand, but it looks like the krb plugin uses either System.setProperty(..), which will break things if there are two instances or if pointed at the krb5.conf file it only attempts to auth to the default realm.Delao
You cannot authenticate to multiple realms directly because your keytab is bound to one realm. You can though request a TGT for a different realm from your realm. So there is no need to create to login contexts.Spireme
F
0

It's possible. For example you could have each configuration in separate files and then at the beginning of each try pass Java paths to krb5.ini and login.conf files: 

boolean loginSuccess = false;  

try  
{  
   System.setProperty("java.security.krb5.conf", "C:\kerb\conf1\krb5.ini");
   System.setProperty("java.security.auth.login.config", "C:\kerb\conf1\login.conf");
   // in login.conf you can have defined path to keytab for this configuration

   LoginContext lc = new LoginContext(...);  
   //Try Realm 1  
   lc.login();  
   loginSuccess = true;  
}  
catch(LoginException le)  
{  
  try  
  {  
     System.setProperty("java.security.krb5.conf", "C:\kerb\conf2\krb5.ini");
     System.setProperty("java.security.auth.login.config", "C:\kerb\conf2\login.conf");
     // in login.conf you can have defined path to keytab for this configuration

     LoginContext lc2 = new LoginContext(...);  
     //Try Realm 2  
     lc2.login();  
     loginSuccess = true;  
  }  
  catch(LoginException le)  
  {  
     //...  
  }  
}  

return loginSuccess;

Those two system properties are described here: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html and http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html

Another possibility could be configuration without files. There's a LoginContext constructor which takes CallbackHandler (here you pass username and password), and Configuration (here you pass parameters which you have in login.conf). Kdc and realm can be passed in System properties java.security.krb5.realm and java.security.krb5.kdc

http://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/LoginContext.html#LoginContext-java.lang.String-javax.security.auth.Subject-javax.security.auth.callback.CallbackHandler-javax.security.auth.login.Configuration-

Fanelli answered 7/4, 2014 at 18:27 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.