On 7/1/13 4:50 PM, Ostap Andrusiv wrote:
Thanks everyone for the responses.
I can't use allowtgtsessionkey on Windows, because I want to achieve a
cross-platform solution.

Allowtgtsessionkey (Google it) is a windows registry key you need to configure, which means you cannot simply deploy your app on a Windows box and it automatically works. Expect for this, I don't think the solution is not cross-platform.


I'll look into the option, provided by Weijun Wang and create
KerberosTicket/KerberosPrincipal. I hope it would do the job.

You need to get the ticket anyway. Either from an existing one (possibly thru the login process) or get it yourself (thru a kinit command that understands PKINIT). After that, as Henry said, "Just set useTicketCache=true in the JAAS config".

Best luck.

--Weijun



2013/6/26 Henry B. Hotz <hbh...@lavenderwine.com
<mailto:hbh...@lavenderwine.com>>

    Even easier.  Just set useTicketCache=true in the JAAS config.

    On Jun 25, 2013, at 5:37 PM, Weijun Wang <weijun.w...@oracle.com
    <mailto:weijun.w...@oracle.com>> wrote:

     > Java (at least Oracle JDK) does not support PKINIT.
     >
     > Yes, you can do it outside, create a KerberosTicket and a
    KerberosPrincipal, create a JAAS Subject containing them, and call
    Subject.doAs() later. It should work.
     >
     > On Windows, if you manage to use Windows' own login and have the
    ticket stored inside LSA, Java should be able to read it. There is a
    registry key allowtgtsessionkey you need to take care of. Or maybe
    you can use any third party kinit to save a ccache file which can
    also be picked up by Java.
     >
     > --Max
     >
     > On 6/26/13 7:29 AM, Henry B. Hotz wrote:
     >> I'm not authoritative, but AFAIK there is no smart card support
    in Java, though there is pkcs11 support.
     >>
     >> If I had to do it, I would do the smart card/PKINIT stuff
    outside Java, and then let Java use the acquired tgt.
     >>
     >> On Jun 25, 2013, at 5:52 AM, Ostap Andrusiv <pifos...@gmail.com
    <mailto:pifos...@gmail.com>> wrote:
     >>
     >>> Hi everyone,
     >>>
     >>> I've been playing with smart cards and faced some issues.
     >>> Long story short:
     >>>
     >>> Prerequisites:
     >>>
     >>>     • I set up a basic Kerberos realm via Windows Active Directory.
     >>>     • I managed to successfully login into service via
    login/password pair using Java Kerberos(Krb5LoginModule), which is
    provided via JAAS.
     >>> Now I try to implement Kerberos login via smart card. Smart
    card preauthentication in Kerberos is done via AS-REQ/AS-REP
    messages (PA-PK-AS-REQ/P extensions). Unfortunately, JAAS Kerberos
    hasn't used the smartcard. As far as I have seen, there were no
    PA-PK-AS-REQ/P extensions in openjdk sources. Maybe, I missed something.
     >>>
     >>> Question:
     >>>
     >>> 1. Does Java Kerberos support smart card preauthentication out
    of the box?
     >>>
     >>> 2. If it doesn't, can I somehow extends existing Kerberos
    module or should I implement whole Kerberos from the ground up?
     >>>
     >>>
     >>>
     >>> Thanks in advance,
     >>> Ostap Andrusiv
     >>>
     >>>
     >>> web: http://andrusiv.com
     >>> skype: ostap.andrusiv
     >>> ::p!F
     >>




--
Best regards,
Ostap Andrusiv

web: http://andrusiv.com
skype: ostap.andrusiv
::p!F

Reply via email to