On Fri, Jun 27, 2014 at 10:06 AM, Jorj Bauer <j...@isc.upenn.edu> wrote: >> Note that you can dodge the jaas.conf by installaing your own >> Configuration like: > > Thanks for the comment. I know about this, generally speaking - it's what I > was alluding to in the README: > >> (There is probably >> a more complex Configuration object setup that could be performed here >> to populate the settings programmatically; I chose to not go down that >> road due to complexity of the code that might be required.) > > Specifically - and maybe you can help here - I have two concerns about that > approach. > > First: there are two different configurations in jaas.conf (one for client > and one for server behavior). I presume it's possible to construct a > programmatic configuration that adds both, but I haven't thought about how.
Hi Jorj, It's been a while since I looked at any of this. So I'm actually drawing a blank on the client vs server conf. Not sure. > Second: setting the realm and/or KDC using System.setProperty > java.security.krb5.realm and/or java.security.krb5.kdc, I wasn't able (in my > limited testing) to make it perform failover when the primary was > unreachable. Seeing that it worked fine with krb5.conf, I decided to punt, > choosing functionality over form. Ah yes, this is another gem. There are so many problems with DNS relative to Java's Kerberos I don't want to get into it. Having the realm come out of the krb5.conf isn't a complete disaster since that might actually be set properly and wouldn't be something you would want to change I would think. At least this is no different from how MIT or Heimdal handles things so I can't trash Java too much for doing it. Kerberos and DNS are so tightly coupled that dumping off DNS to the system resolver just doesn't cut it. I think the only way to provide proper DNS behavior for Java's Kerberos would be to actually completely override it with a property like sun.net.spi.nameservice.provider. Again, of course the property is global and static so it will effect everything in the same ClassLoader so your DNS implementation better be pretty solid. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos