-
15. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
Thanks Martin,
I have almost setup everything according to your test class. But I need to know more which parameters are needed since this format is new to me. Where do I setup the connection parameters? I was wrong before. I do have the token through waffle(jna wrapper), not the ticket. I dont want to set the username and password since this should be set through the token. How do I solve this? What is method getGssCredential? If there is any magic involved here I would like to know.
Thanks
-
16. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
So I guess the million dollar question for me is how to create the GSSCredential from the service ticket byte[] I have retreived from the via JNA (SSPI) which I then can use for the AuthenticationConfiguration which mchoma suggested I should use for new ejb client. Any hints or answers to this and I am forever in your debt.
-
17. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
My example provide way to get GSSCredential from JAAS Subject.
Waffle is providing JAAS Login module. So in theory you should be able to get JAAS Subject using waffle and then GSSCredential. But I admit that becomes complicated.
dlofthouse any hint how to call client with kerberos ticket, when that is present in byte[] form. Is it something Elytron could support?
-
18. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
mchoma Where does your example retreive the GSSCredential from the JAAS subject? I could go for trying to retreive the JAAS subject as long as it doesn't involve GSS API and setting the windows registry flag.
-
19. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
sorry I am pretty sure I pasted (wanted to past) this somewhere on the forum recently
private GSSCredential getGSSCredential(Subject subject) { return Subject.doAs(subject, new PrivilegedAction() { @Override public GSSCredential run() { try { GSSManager gssManager = GSSManager.getInstance(); return gssManager.createCredential(GSSCredential.INITIATE_ONLY); } catch (Exception e) { e.printStackTrace(); } return null; } }); } -
20. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
Thanks! Thats definately a start. Still unsure how to deal with creating a Subject from waffle, or even in that matter from the byte[] token since the subject is in need of credentials..
-
21. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
Alternatively in Wildfly 12 (or in master until WF 12 will be released) you can try new feature in Elytron; you can specify local-kerberos element in wildfly-config.xml.
In that case client will use kerberos ticket from cache and authenticate.
[1] Configuration of Kerberos with Elytron in WildFly · Honza