On 7/1/13 4:50 PM, Ostap Andrusiv wrote:
Thanks everyone for the responses. I can't use allowtgtsessionkey on Windows, because I want to achieve a cross-platform solution.
Allowtgtsessionkey (Google it) is a windows registry key you need to configure, which means you cannot simply deploy your app on a Windows box and it automatically works. Expect for this, I don't think the solution is not cross-platform.
I'll look into the option, provided by Weijun Wang and create KerberosTicket/KerberosPrincipal. I hope it would do the job.
You need to get the ticket anyway. Either from an existing one (possibly thru the login process) or get it yourself (thru a kinit command that understands PKINIT). After that, as Henry said, "Just set useTicketCache=true in the JAAS config".
Best luck. --Weijun
2013/6/26 Henry B. Hotz <hbh...@lavenderwine.com <mailto:hbh...@lavenderwine.com>> Even easier. Just set useTicketCache=true in the JAAS config. On Jun 25, 2013, at 5:37 PM, Weijun Wang <weijun.w...@oracle.com <mailto:weijun.w...@oracle.com>> wrote: > Java (at least Oracle JDK) does not support PKINIT. > > Yes, you can do it outside, create a KerberosTicket and a KerberosPrincipal, create a JAAS Subject containing them, and call Subject.doAs() later. It should work. > > On Windows, if you manage to use Windows' own login and have the ticket stored inside LSA, Java should be able to read it. There is a registry key allowtgtsessionkey you need to take care of. Or maybe you can use any third party kinit to save a ccache file which can also be picked up by Java. > > --Max > > On 6/26/13 7:29 AM, Henry B. Hotz wrote: >> I'm not authoritative, but AFAIK there is no smart card support in Java, though there is pkcs11 support. >> >> If I had to do it, I would do the smart card/PKINIT stuff outside Java, and then let Java use the acquired tgt. >> >> On Jun 25, 2013, at 5:52 AM, Ostap Andrusiv <pifos...@gmail.com <mailto:pifos...@gmail.com>> wrote: >> >>> Hi everyone, >>> >>> I've been playing with smart cards and faced some issues. >>> Long story short: >>> >>> Prerequisites: >>> >>> • I set up a basic Kerberos realm via Windows Active Directory. >>> • I managed to successfully login into service via login/password pair using Java Kerberos(Krb5LoginModule), which is provided via JAAS. >>> Now I try to implement Kerberos login via smart card. Smart card preauthentication in Kerberos is done via AS-REQ/AS-REP messages (PA-PK-AS-REQ/P extensions). Unfortunately, JAAS Kerberos hasn't used the smartcard. As far as I have seen, there were no PA-PK-AS-REQ/P extensions in openjdk sources. Maybe, I missed something. >>> >>> Question: >>> >>> 1. Does Java Kerberos support smart card preauthentication out of the box? >>> >>> 2. If it doesn't, can I somehow extends existing Kerberos module or should I implement whole Kerberos from the ground up? >>> >>> >>> >>> Thanks in advance, >>> Ostap Andrusiv >>> >>> >>> web: http://andrusiv.com >>> skype: ostap.andrusiv >>> ::p!F >> -- Best regards, Ostap Andrusiv web: http://andrusiv.com skype: ostap.andrusiv ::p!F