kerberos - Using Java 8 S4U2Proxy - A good example needed -

-

i trying use s4u2proxy introduced in java 8. unfortunately not successfull in finding many examples. requirement client send certificate. should delegate (using kerberos) request, connect kdc, tgt, service ticket contact server on user's behalf , contact actual service providing service ticket. if java 8 not provide clean approach, can pls point me other utilities might solve requirement.

subject.doas(subject, new privilegedaction<object>() {         @override         public object run() {             gssmanager manager = gssmanager.getinstance();             gsscredential self  = null;             try {                 gssname selfuser = manager.createname("servicewhowantstoimpersonate", gssname.nt_user_name);                 oid krb5oid = new oid( "1.2.840.113554.1.2.2");                 self = manager.createcredential(selfuser.canonicalize(krb5oid), gsscredential.default_lifetime, krb5oid, gsscredential.initiate_only);                 gssname user = manager.createname(clientname, gssname.nt_user_name);                 gsscredential impcred = ((extendedgsscredential) self).impersonate(user);             } catch (gssexception e) {                 e.printstacktrace();             }              return null;         }     });

obviously there questions how spn has been set in kdc? whether service account authorized delegation? has right spn been assigned service account? when user "monkey" denies sort of delegation? etc etc. right feel have made right settings in kdc. problem above occurs before hits kdc. valid inputs help.

edit: after reasearch, able perform s4u2self , s4u2proxy using java 8. surpised atleast 1 example should have been provided oracle documentation. anyhow, moving next stage. scenario have handle cross-domain kerberos certificate delegation. java 8 documentation have seen far, infers cross-realm not supported. still true?

i have built complete standalone demonstration application kerberos sfu extensions features in java 8: https://github.com/ymartin59/java-kerberos-sfudemo

here short code snippet allows generate spnego token tgs ticket impersonated user:

gssmanager manager = gssmanager.getinstance(); gssname username = manager.createname("targetuser", gssname.nt_user_name); gsscredential impersonatedusercreds =   ((extendedgsscredential)servicecredentials).impersonate(username);  final oid krb5_principal_oid = new oid("1.2.840.113554.1.2.2.1"); gssname serviceprincipal =   manager.createname("http/webservice-host.domain.ltd", krb5_principal_oid); extendedgsscontext extendedcontext =   (extendedgsscontext) manager.createcontext(serviceprincipal,                                              new oid("1.3.6.1.5.5.2"),                                              impersonatedusercreds,                                              gsscontext.default_lifetime); final byte[] token = extendedcontext.initseccontext(new byte[0], 0, 0);

beware extendedcontext not established yet. multiple rounds server may required.

java 8 kerberos code not support cross-realm impersonation yet: refer jdk-8005819

the java service account may hosted in 1 realm , code can target service in realm far realm explicitely appended spn, http/webservice-host.otherdomain.ltd@otherdomain.ltd

the same way users known in other realm, should append login name in method createname("targetuser@otherdomain.ltd", gssname.nt_user_name)


Comments

Post a Comment

Popular posts from this blog

How has firefox/gecko HTML+CSS rendering changed in version 38? -

-
i have a little website header no longer renders correctly, since updating firefox 38.0.5 [the faceplant logo missing top right, , main logo no longer centred]. still renders expected in other browsers. how has engine's rendering changed in update? according mdn , list of changes is: css support ruby-position , ruby-align have been added , available default ( bug 1055676 , bug 1123917 , bug 1039006 ). the :unresolved pseudo-class has been implemented custom elements ( bug 1111633 ). the predefined style ethiopic-numeric uses space, instead of dot, suffix match recent change spec ( bug 1120721 ). css transitions on generated content (with ::before , ::after ) on both inline , block splits them start expected specification ( bug 1110277 ). the implementation of css logical properties made big progress. [...] how css transitions start has been modified match recent change of specifications, aiming @ having interoperable behavio
Read more

javascript - Complex json ng-repeat -

-
i try ng-repeat on object, tried several times still stuck. if have idea, , if it's possible share tips kind of situation. [ { "abonnement": { "id": "1", "nom": "bas prix", "tarif": "2.49", "communication": "2h de communication", "vers": "vers fixes et mobiles", "zone": "zone nationale" } }, { "abonnement": { "id": "2", "nom": "national", "tarif": "9.99", "communication": "t\u00e9l\u00e9phonie et sms illimit\u00e9s", "vers": "vers fixes et mobiles", "zone": "zone nationale" } }, { "abonnement": { "id": "3", "nom": "euro", "tarif&
Read more

jquery - Cloning of rows and columns from the old table into the new with colSpan and rowSpan -

-
i using clone jquery. necessary clone gray area in new table. problem cloned rows , columns can has rowspan , colspan. the gray area intersection data-fix-cols , data-fix-rows. my solution not work: <table id="old-table" data-fix-cols='3' data-fix-rows='4'> <tbody> <tr> <td class="gray">clone me</td> <td colspan="2" rowspan="2" class="gray">clone me</td> <td>ashgabat</td> <td>barcelona</td> <td>berlin</td> </tr> <tr> <td rowspan="3" class="gray">clone me</td> <td>bucharest</td> <td>warsaw</td> <td>washington</td> </tr> <tr> <td class="gray">clone me</td>
Read more