Even easier. Just set useTicketCache=true in the JAAS config. On Jun 25, 2013, at 5:37 PM, Weijun Wang <weijun.w...@oracle.com> wrote:
> Java (at least Oracle JDK) does not support PKINIT. > > Yes, you can do it outside, create a KerberosTicket and a KerberosPrincipal, > create a JAAS Subject containing them, and call Subject.doAs() later. It > should work. > > On Windows, if you manage to use Windows' own login and have the ticket > stored inside LSA, Java should be able to read it. There is a registry key > allowtgtsessionkey you need to take care of. Or maybe you can use any third > party kinit to save a ccache file which can also be picked up by Java. > > --Max > > On 6/26/13 7:29 AM, Henry B. Hotz wrote: >> I'm not authoritative, but AFAIK there is no smart card support in Java, >> though there is pkcs11 support. >> >> If I had to do it, I would do the smart card/PKINIT stuff outside Java, and >> then let Java use the acquired tgt. >> >> On Jun 25, 2013, at 5:52 AM, Ostap Andrusiv <pifos...@gmail.com> wrote: >> >>> Hi everyone, >>> >>> I've been playing with smart cards and faced some issues. >>> Long story short: >>> >>> Prerequisites: >>> >>> • I set up a basic Kerberos realm via Windows Active Directory. >>> • I managed to successfully login into service via login/password pair >>> using Java Kerberos(Krb5LoginModule), which is provided via JAAS. >>> Now I try to implement Kerberos login via smart card. Smart card >>> preauthentication in Kerberos is done via AS-REQ/AS-REP messages >>> (PA-PK-AS-REQ/P extensions). Unfortunately, JAAS Kerberos hasn't used the >>> smartcard. As far as I have seen, there were no PA-PK-AS-REQ/P extensions >>> in openjdk sources. Maybe, I missed something. >>> >>> Question: >>> >>> 1. Does Java Kerberos support smart card preauthentication out of the box? >>> >>> 2. If it doesn't, can I somehow extends existing Kerberos module or should >>> I implement whole Kerberos from the ground up? >>> >>> >>> >>> Thanks in advance, >>> Ostap Andrusiv >>> >>> >>> web: http://andrusiv.com >>> skype: ostap.andrusiv >>> ::p!F >>
