2 Replies Latest reply on Oct 22, 2005 2:16 PM by erik777

    relationship between JAAS, JGSS, Kerberos and JBoss

    ericl
    ericl Oct 29, 2002 6:55 PM

      Hi,

      I'm trying to understand the relationship between these technologies, perhaps someone could help me out.

      I understand that to authenticate a client, I need to use a combination of JAAS login modules. On the client, I'm required to use the ClientLoginModule that just grabs a username and password, and moves it to the server. On the server, I'll use some other login module (LDAP, database, etc) to actually validate that the given username / password combination is valid, populate the principal with roles, etc.

      My question is, where does JGSS (and Kerberos) fit into this mix? It seems like I could easily configure JAAS to authenticate a user with a given KDC and realm. If I do this on the client though, how would I pass this credential (the Kerberos tix) to JBoss? It seems that I have to pass the username / password data to the server via the simple ClientLoginModule... Besides concerns about possibly exposing my user's password, this makes single-logon impossible (I can't take advantage of the credential cache in the client, since I can't get the original password from the Kerberos ticket).


      I know this question is a bit open-ended, but I'm hoping someone will be interested in discussing single-logon options using Kerberos and JBoss. Is it even possible to do this with JBoss security?

      Thanks,
      Eric

      • 4062 Views
      • Tags:
        • 1. Re: relationship between JAAS, JGSS, Kerberos and JBoss
          j_ri
          j_ri Oct 11, 2005 3:29 PM (in response to ericl)

          Still no answer after almost three years?;-)

          At the moment I have exactly the same problem. How can I pass the credentials from a clientside login via the Krb5LoginModule to jboss to access an EJB?

          Cheers
          Jochen

            • Actions
          • 2. Re: relationship between JAAS, JGSS, Kerberos and JBoss
            erik777
            erik777 Oct 22, 2005 2:16 PM (in response to ericl)

            I can't say I have anything resembling an answer, but I'd have to theoretically ask the question:

            Can you populate Context.SECURITY_CREDENTIALS in your environment properties when you invoke the EJB?

            You could have a different login module in your EJBs designed to accept Kerberos credentials. The question is primarily then how you can obtain the credentials necessary to populate Context.SECURITY_CREDENTIALS in your web context when you obtain the home interface to your EJB.

            Erik

              • Actions