kerberos - Using Java 8 S4U2Proxy - A good example needed -
i trying use s4u2proxy introduced in java 8. unfortunately not successfull in finding many examples. requirement client send certificate. should delegate (using kerberos) request, connect kdc, tgt, service ticket contact server on user's behalf , contact actual service providing service ticket. if java 8 not provide clean approach, can pls point me other utilities might solve requirement.
subject.doas(subject, new privilegedaction<object>() { @override public object run() { gssmanager manager = gssmanager.getinstance(); gsscredential self = null; try { gssname selfuser = manager.createname("servicewhowantstoimpersonate", gssname.nt_user_name); oid krb5oid = new oid( "1.2.840.113554.1.2.2"); self = manager.createcredential(selfuser.canonicalize(krb5oid), gsscredential.default_lifetime, krb5oid, gsscredential.initiate_only); gssname user = manager.createname(clientname, gssname.nt_user_name); gsscredential impcred = ((extendedgsscredential) self).impersonate(user); } catch (gssexception e) { e.printstacktrace(); } return null; } });
obviously there questions how spn has been set in kdc? whether service account authorized delegation? has right spn been assigned service account? when user "monkey" denies sort of delegation? etc etc. right feel have made right settings in kdc. problem above occurs before hits kdc. valid inputs help.
edit: after reasearch, able perform s4u2self , s4u2proxy using java 8. surpised atleast 1 example should have been provided oracle documentation. anyhow, moving next stage. scenario have handle cross-domain kerberos certificate delegation. java 8 documentation have seen far, infers cross-realm not supported. still true?
i have built complete standalone demonstration application kerberos sfu extensions features in java 8: https://github.com/ymartin59/java-kerberos-sfudemo
here short code snippet allows generate spnego token tgs ticket impersonated user:
gssmanager manager = gssmanager.getinstance(); gssname username = manager.createname("targetuser", gssname.nt_user_name); gsscredential impersonatedusercreds = ((extendedgsscredential)servicecredentials).impersonate(username); final oid krb5_principal_oid = new oid("1.2.840.113554.1.2.2.1"); gssname serviceprincipal = manager.createname("http/webservice-host.domain.ltd", krb5_principal_oid); extendedgsscontext extendedcontext = (extendedgsscontext) manager.createcontext(serviceprincipal, new oid("1.3.6.1.5.5.2"), impersonatedusercreds, gsscontext.default_lifetime); final byte[] token = extendedcontext.initseccontext(new byte[0], 0, 0);
beware extendedcontext
not established yet. multiple rounds server may required.
java 8 kerberos code not support cross-realm impersonation yet: refer jdk-8005819
the java service account may hosted in 1 realm , code can target service in realm far realm explicitely appended spn, http/webservice-host.otherdomain.ltd@otherdomain.ltd
the same way users known in other realm, should append login name in method createname("targetuser@otherdomain.ltd", gssname.nt_user_name)
Comments
Post a Comment