A lot of Organizations tend to use Kerberos for authentication and JAAS does support Kerberos for authenticating users. Well here is a step-by-step approach to Kerberos authentication with JAAS. I am not going to talk about Kerberos server or the installation. It is all about authentication. Please see the list of issues below.
-Djava.security.krb5.conf=krb5.conf
-Djava.security.auth.login.config=$FILE-PATH\kerberoscontext.conf -Djava.security.krb5.realm=ABC.NET
-Djava.security.krb5.kdc=ABC.XYZ.NET
The above configurations are required and I will explain each one of them.
1. Create a file krb5.conf and here are the contents of the file.
Place this file in JAVA_HOME/jre/lib/security. This is required by this configuration here -Djava.security.krb5.conf=krb5.conf. No need of file path.
Place this file in JAVA_HOME/jre/lib/security. This is required by this configuration here -Djava.security.krb5.conf=krb5.conf. No need of file path.
[libdefaults]
default_realm = ABC.NET
dns_lookup_kdc = true
[domain_realm]
.abc.net = ABC.NET
You need to get this information from the Organization's Kerberos management team or administrators. You need to know Kerberos REALM and Kerberos KDC.
2. Create a Kerberos login module configuration file (kerberoscontext.conf). Place this file anywhere you like, but you need to mention the absolute file path within this configuration parameter : -Djava.security.auth.login.config=$FILE-PATH>\kerberoscontext.conf . This file is a JAAS requirement.
2. Create a Kerberos login module configuration file (kerberoscontext.conf). Place this file anywhere you like, but you need to mention the absolute file path within this configuration parameter : -Djava.security.auth.login.config=$FILE-PATH>\kerberoscontext.conf . This file is a JAAS requirement.
Kerberos5LoginModule {
com.sun.security.auth.module.Krb5LoginModule required debug="true"
};
One can add more parameters depending upon the needs. This is the minimum requirements.
3. Now you need to develop a Security Service or Manager which can authenticate based on the user input (user & password). You can find the complete code here
com.sun.security.auth.module.Krb5LoginModule required debug="true"
};
One can add more parameters depending upon the needs. This is the minimum requirements.
3. Now you need to develop a Security Service or Manager which can authenticate based on the user input (user & password). You can find the complete code here
AuthenticationService.4. You also need to develop a Login Module Adapter. This makes the Authentication Service decoupled from the type of Authentication(Kerberos, NT, AD, Unix etc.). This is very important even if you know what type of authentication you are going to use. This type of Design is very important when you are involved in Agile development. Agile Development warrants a developer with adding code incrementally and adding functionality incrementally. Adding functionality will certainly add code, but adding code might not add functionality to the application. Check the code for Login Module Adapter.
KerberosLoginModuleAdapter. 5. AuthenticationService is an implementation of IAuthenticationService. This interface has a method authenticate(user, password). This method needs to be implemented. Once the user is authenticated , the necessary data is captured within A User object (for e.g IUser). This object can be used within the application as per the needs.
6. Develop a test program to test authentication. Pass the above -D parameters as VM parameters to the test program.
References:
JAAS API
Kerberos reference.
