Discussion:
Java sample for SSO using JAAS on XP SP2, did anybody get it to work?
Bajpai, Atul
2005-04-20 14:08:02 UTC
Permalink
Seema,
All your suggestions have been very helpful and I am able to use JAAS
and GSS-API succefully to do single sign on and get a kerberos ticket
for the currently logged in user on windows as well as linux. What I
also need to do is be able to pass in the userid and password of a user,
to the Krb5LoginModule if possible, to do a "run as". I have been
scouring all the online documentation that I can find for hints. Any
sugestions? Do I need to develop a new login module to do a kerberos
login for a user different from the one logged in? or is it possible to
extend the Krb5LoginMudule?


Atul Bajpai
Development Infrastructure


-----Original Message-----
From: Seema Malkani [mailto:Seema.Malkani at sun.com]
Sent: Tuesday, April 05, 2005 5:33 PM
To: Bajpai, Atul
Cc: miika.parvio at NOSPAMtut.fi; jaltman2 at nyc.rr.com; deengert at anl.gov;
kerberos at mit.edu
Subject: Re: Java sample for SSO using JAAS on XP SP2, did anybody get
it to work?

You can set system properties programmatically via java.lang.System
class :- System.setProperty("javax.security.auth.useSubjectCredsOnly",
"false");

To specify the JAAS Kerberos Login Configuration file, you can use :-
1) System property "-D||java.security.auth.login.config"
Optionally, you can set it programmatically via :-
System.setProperty("java.security.auth.login.config", jaas.conf);

2) Java security properties file
Indicate the URL of the configuration file in the security properties
file located at JRE/lib/security/java.security
login.config.url.1=file:C:/jaas.conf

For more information, refer to following websites :-
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/LoginC
onfigFile.html
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Config
uration.html
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/AppCon
figurationEntry.html

Seema
Thanks for your response again Seema. I am able to get SSO to work with
J2SE 1.4.2_07. During all this trial and error at some point I had
started building and running against 1.4.2_04 and didn't realise the
folly since I was always able to get a ticket when I provided my userid
and password, when prompted for it. Once I changed back to 1.4.2_07 and
turned the debug flag on, Krb5LoginModule is able to get the pricipal
from the ticketcache without prompting and eventually I get a Kerberos
ticket back in the Subject. Thanks for all the suggestions. Next step
is to get this code to run on Linux.I also need to specify all the -D
options programmatically. How do I do that? Also is it possible to
eliminate the need for the .conf file and specify, the LoginModule to
be used, programatically?
thanks
Atul Bajpai
Development Infrastructure
-----Original Message-----
From: Seema Malkani [mailto:Seema.Malkani at sun.com]
Sent: Monday, April 04, 2005 2:29 PM
To: Bajpai, Atul
Cc: miika.parvio at NOSPAMtut.fi; jaltman2 at nyc.rr.com; deengert at anl.gov;
kerberos at mit.edu
Subject: Re: Java sample for SSO using JAAS on XP SP2, did anybody get
it to work?
As per your earlier email, you had mentioned that SSO works correctly
with your "test" account, and you do not get prompted for password. Is
this an issue with the another account on the same AD domain ?
JAAS Kerberos login module will acquire the native credentials,
provided you have the correct configuration. But if the credential
acquisition fails due to some reason, no credentials will be returned;
and you'll get a message "null credentials from Ticket Cache".
1) Are you using the latest J2SE 1.4.2_07 ?
2) Do you have any file-based ticket cache on your machine ? Check out
any existence of krb5cc_uid in the home dir of the account used.
3) To investigate the failure, please send me a debug output. You can
enable Java Kerberos debugging via -Dsun.security.krb5.debug=true
See my comments below in response to your questions.
Seema
Hi all,
I am using a JAAS sample to try SSO on windows. My problem is When I
use the Krb5LoginModule I am always prompted for a username and
password. I want my app to get the kerberos ticket for the currently
logged in user (which is me) without being prompted for
username/password. To understand the problem I set debug=true and
following is the output I get before I get prompted for username/pwd
===================================
Debug is true storeKey false useTicketCache true useKeyTab false
doNotPrompt false ticketCache is null KeyTab is null refreshKrb5Config
is true principal is null tryFirstPass is false useFirstPass is false
storePass is false clearPass is false
Refreshing Kerberos configuration
Principal is null
null credentials from Ticket Cache
===========================
My question is
1) Does this mean that ticket cache cannot be found hence a ticket
could not be found or just that the ticket cache is empty?
This does not mean that the ticket cache cannot be found. This is
because the credential acquisition failed; this could be due to various
reasons, such as credentials in the ticket cache were invalid, or did
not exist for the requested identity.
2) How do I find out where my ticket cache is and what it has?
You can use Klist.exe tool on Windows to check on the native
credentials.
3) When prompted for username/pwd, if I supply either mine or a test
account username/pwd, my login succeeds and I get back a subject from
the logincontext where I can see a kerberos ticket as part of the
private credentials. What could be the reason for my sample app not
being able to get a kerberos ticket for the currently logged in user
without prompting for username/pwd?
Possibly due to configuration. Please answer the questions above.
Seems like some of you have dealt with JAAS on windows before so I'll
really appreciate any pointers I can get on this.
thanks
-------------------------------------------------------------------------------------------------
-------------------------

CONFIDENTIALITY AND SECURITY NOTICE

This e-mail contains information that may be confidential and
proprietary. It is to be read and used solely by the intended recipient(s).
Citadel and its affiliates retain all proprietary rights they may have in the
information. If you are not an intended recipient, please notify us
immediately either by reply e-mail or by telephone at 312-395-2100
and delete this e-mail (including any attachments hereto) immediately
without reading, disseminating, distributing or copying. We cannot give
any assurances that this e-mail and any attachments are free of viruses
and other harmful code. Citadel reserves the right to monitor, intercept
and block all communications involving its computer systems.
Seema Malkani
2005-04-22 23:10:04 UTC
Permalink
The LoginModule invokes a CallbackHandler to perform the user interaction and obtain the requested information, such as the user name and password. The JAAS LoginContext allows the application to specify a callback handler that the underlying login modules use to interact with users. There are two callback handlers available in J2SE - one based on the command line and another based on a GUI.

Here is an example:
LoginContext lc = new LoginContext("client", new TextCallbackHandler());

The Krb5LoginModule will use the specified CallbackHandler to interact with the user and obtain username/password. The |CallbackHandler| implementation decides how to retrieve the information depending on the callbacks passed to it.

For further details refer to the J2SE javadocs on
javax.security.auth.callback.CallbackHandler
http://java.sun.com/j2se/1.5.0/docs/api/index.html

Seema
Post by Bajpai, Atul
Seema,
All your suggestions have been very helpful and I am able to use JAAS
and GSS-API succefully to do single sign on and get a kerberos ticket
for the currently logged in user on windows as well as linux. What I
also need to do is be able to pass in the userid and password of a user,
to the Krb5LoginModule if possible, to do a "run as". I have been
scouring all the online documentation that I can find for hints. Any
sugestions? Do I need to develop a new login module to do a kerberos
login for a user different from the one logged in? or is it possible to
extend the Krb5LoginMudule?
Atul Bajpai
Development Infrastructure
-----Original Message-----
From: Seema Malkani [mailto:Seema.Malkani at sun.com]
Sent: Tuesday, April 05, 2005 5:33 PM
To: Bajpai, Atul
Cc: miika.parvio at NOSPAMtut.fi; jaltman2 at nyc.rr.com; deengert at anl.gov;
kerberos at mit.edu
Subject: Re: Java sample for SSO using JAAS on XP SP2, did anybody get
it to work?
You can set system properties programmatically via java.lang.System
class :- System.setProperty("javax.security.auth.useSubjectCredsOnly",
"false");
To specify the JAAS Kerberos Login Configuration file, you can use :-
1) System property "-D||java.security.auth.login.config"
Optionally, you can set it programmatically via :-
System.setProperty("java.security.auth.login.config", jaas.conf);
2) Java security properties file
Indicate the URL of the configuration file in the security properties
file located at JRE/lib/security/java.security
login.config.url.1=file:C:/jaas.conf
For more information, refer to following websites :-
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/LoginC
onfigFile.html
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Config
uration.html
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/AppCon
figurationEntry.html
Seema
Thanks for your response again Seema. I am able to get SSO to work with
J2SE 1.4.2_07. During all this trial and error at some point I had
started building and running against 1.4.2_04 and didn't realise the
folly since I was always able to get a ticket when I provided my userid
and password, when prompted for it. Once I changed back to 1.4.2_07 and
turned the debug flag on, Krb5LoginModule is able to get the pricipal
from the ticketcache without prompting and eventually I get a Kerberos
ticket back in the Subject. Thanks for all the suggestions. Next step
is to get this code to run on Linux.I also need to specify all the -D
options programmatically. How do I do that? Also is it possible to
eliminate the need for the .conf file and specify, the LoginModule to
be used, programatically?
thanks
Atul Bajpai
Development Infrastructure
-----Original Message-----
From: Seema Malkani [mailto:Seema.Malkani at sun.com]
Sent: Monday, April 04, 2005 2:29 PM
To: Bajpai, Atul
Cc: miika.parvio at NOSPAMtut.fi; jaltman2 at nyc.rr.com; deengert at anl.gov;
kerberos at mit.edu
Subject: Re: Java sample for SSO using JAAS on XP SP2, did anybody get
it to work?
As per your earlier email, you had mentioned that SSO works correctly
with your "test" account, and you do not get prompted for password. Is
this an issue with the another account on the same AD domain ?
JAAS Kerberos login module will acquire the native credentials,
provided you have the correct configuration. But if the credential
acquisition fails due to some reason, no credentials will be returned;
and you'll get a message "null credentials from Ticket Cache".
1) Are you using the latest J2SE 1.4.2_07 ?
2) Do you have any file-based ticket cache on your machine ? Check out
any existence of krb5cc_uid in the home dir of the account used.
3) To investigate the failure, please send me a debug output. You can
enable Java Kerberos debugging via -Dsun.security.krb5.debug=true
See my comments below in response to your questions.
Seema
Hi all,
I am using a JAAS sample to try SSO on windows. My problem is When I
use the Krb5LoginModule I am always prompted for a username and
password. I want my app to get the kerberos ticket for the currently
logged in user (which is me) without being prompted for
username/password. To understand the problem I set debug=true and
following is the output I get before I get prompted for username/pwd
===================================
Debug is true storeKey false useTicketCache true useKeyTab false
doNotPrompt false ticketCache is null KeyTab is null refreshKrb5Config
is true principal is null tryFirstPass is false useFirstPass is false
storePass is false clearPass is false
Refreshing Kerberos configuration
Principal is null
null credentials from Ticket Cache
===========================
My question is
1) Does this mean that ticket cache cannot be found hence a ticket
could not be found or just that the ticket cache is empty?
This does not mean that the ticket cache cannot be found. This is
because the credential acquisition failed; this could be due to various
reasons, such as credentials in the ticket cache were invalid, or did
not exist for the requested identity.
2) How do I find out where my ticket cache is and what it has?
You can use Klist.exe tool on Windows to check on the native
credentials.
3) When prompted for username/pwd, if I supply either mine or a test
account username/pwd, my login succeeds and I get back a subject from
the logincontext where I can see a kerberos ticket as part of the
private credentials. What could be the reason for my sample app not
being able to get a kerberos ticket for the currently logged in user
without prompting for username/pwd?
Possibly due to configuration. Please answer the questions above.
Seems like some of you have dealt with JAAS on windows before so I'll
really appreciate any pointers I can get on this.
thanks
-------------------------------------------------------------------------------------------------
-------------------------
CONFIDENTIALITY AND SECURITY NOTICE
This e-mail contains information that may be confidential and
proprietary. It is to be read and used solely by the intended recipient(s).
Citadel and its affiliates retain all proprietary rights they may have in the
information. If you are not an intended recipient, please notify us
immediately either by reply e-mail or by telephone at 312-395-2100
and delete this e-mail (including any attachments hereto) immediately
without reading, disseminating, distributing or copying. We cannot give
any assurances that this e-mail and any attachments are free of viruses
and other harmful code. Citadel reserves the right to monitor, intercept
and block all communications involving its computer systems.
Loading...