Advanced JGSS Security Programming (original) (raw)

Part III : Deploying for Single Sign-On in a Kerberos Environment

Exercise 6: Deploying for Single Sign-On

Goal of this exercise:

The goal of this exercise is to learn how to configure a JAAS application that uses Kerberos for authentication to achieve_single sign-on_. Single sign-on means that the user needs only authenticate once to a system or a collection of services. After the initial authentication, the user can access other services in the system using the same identity as he used for the initial authentication.

Single sign-on can be used to describe different types of authentication. There are HTTP-based network single sign-on protocols. There is Kerberos-based single sign-on for network services. In this particular exercise, we show how to achieve single sign-on in Kerberos-based systems by showing how to import already-acquired Kerberos credentials from the underlying native operating system.

Background and Resources for this exercise:

  1. Single Sign-On Using Kerberos in Java

In addition, see the information provided in Exercises 2 and 4 for background information about Kerberos and Java GSS.

Steps to follow:

  1. Edit the JAAS configuration file. This is located in src/jaas-krb5.conf

This file contains two entries, one named "client" and one named "server." Add the line **"useTicketCache=true"**to the client entry.

Code listing for updated jaas-krb5.conf.

  1. client {

  2. com.sun.security.auth.module.Krb5LoginModule required

  3. useTicketCache=true

  4. principal="test";

  5. };

  6. server {

  7. com.sun.security.auth.module.Krb5LoginModule required

  8. useKeyTab=true

  9. storeKey=true

  10. keyTab=sample.keytab

  11. principal="host/j1hol-001";

  12. };

  13. Perform Kerberos login to the native operating system.
    To login to Kerberos, use kinit command as follows.

    % kinit test
    Then, enter changeit when prompted for the password.

  14. Run the client and server programs in Exercises 1-5 as before and you will note that the client applications no longer ask you to enter a password.

Oracle and/or its affiliates Java Technology Copyright © 1993, 2018, Oracle and/or its affiliates. All rights reserved. Contact Us