JAAS is an authentication/authorization framework for Java. Even if I'm a noob in development,
especially in OO, I'm really interest by Java day after day. Why ? Because it's the only //middle//
level language which provide so useful framework and libs : VFS, full security/crypto libs, etc..
(You think it's a joke ? Just search for a VFS module for Perl, or C (except this crap (?)
of gnome-vfs which require X11), kerberos bindings in Ruby, X509 classes in C#, etc..)
Moreover, I work for Fimasys, a company which writes financial softwares in Java, and I need
to write a paper about SSO/java the next week, but anyway..
Actually, my first problem is authentication. I presently want to use Kerberos (trying
my tests with a MIT KDC) for the SSO stuff.
Here my first code :
import javax.security.auth.*;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import javax.security.auth.kerberos.KerberosPrincipal;
import java.security.Principal;
import java.util.Iterator;
import java.util.Set;
import com.sun.security.auth.callback.TextCallbackHandler;
public class JaasAcn {
public static void main(String[] args) {
// Obtain a LoginContext, needed for authentication. Tell it
// to use the LoginModule implementation specified by the
// entry named "JaasSample" in the JAAS login configuration
// file and to also use the specified CallbackHandler.
LoginContext lc = null;
Subject subject = null;
try {
lc = new LoginContext("JaasSample", new TextCallbackHandler());
} catch (LoginException le) {
System.err.println("Cannot create LoginContext. "
+ le.getMessage());
System.exit(-1);
} catch (SecurityException se) {
System.err.println("Cannot create LoginContext. "
+ se.getMessage());
System.exit(-1);
}
try {
// attempt authentication
lc.login();
} catch (LoginException le) {
System.err.println("Authentication failed:");
System.err.println(" " + le.getMessage());
System.exit(-1);
}
System.out.println("Authentication succeeded!");
subject = lc.getSubject();
Set set = subject.getPrincipals ();
for (Iterator iter = set.iterator(); iter.hasNext(); ) {
KerberosPrincipal principal = (KerberosPrincipal) iter.next();
// Here, you're able to use the KerbePrincipal Object
System.out.println (principal.getRealm());
}
}
}
It's just the example which comes with JAAS, but with few lines added about
the Kerberos Credential.
# cat ~/.java.login.config
JaasSample {
com.sun.security.auth.module.Krb5LoginModule required;
};
# javac JassAcn.java
# java -Djava.security.krb5.realm=ASYD.NET -Djava.security.krb5.kdc=kdc.asyd.net JaasAcn
Kerberos username [asyd]:
Kerberos password for asyd: toto
Authentication succeeded!
ASYD.NET
So, as you can see, the code is working, but I notice few problems :
- the password is readable.. (well, not very important for web)
- this code doesn't use available ticket (obtained by kinit) and doesn't create it
- realm/kdc server are set via java system properties, nice, but not very reliable
At this time, I had time to inspect only the second point. I found a message which refer to a
possible problem with encrypt types. After a fight with the MIT KDC, I tried to create
a credential with des-cbc-md5:normal enctype, but I'm not able to obtain the ticket via kinit,
dunno why exactly at the moment..
(Few minutes later.. while asyd is reading doc) in order to make JAAS able to use
tickets obtain by kinit, just add useTicketCache=true in the java.login.config file.