-
15. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
gurras Oct 26, 2017 10:18 AM (in response to mchoma)Thanks Martin,
I have almost setup everything according to your test class. But I need to know more which parameters are needed since this format is new to me. Where do I setup the connection parameters? I was wrong before. I do have the token through waffle(jna wrapper), not the ticket. I dont want to set the username and password since this should be set through the token. How do I solve this? What is method getGssCredential? If there is any magic involved here I would like to know.
Thanks
-
16. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
gurras Oct 31, 2017 11:49 AM (in response to gurras)So I guess the million dollar question for me is how to create the GSSCredential from the service ticket byte[] I have retreived from the via JNA (SSPI) which I then can use for the AuthenticationConfiguration which mchoma suggested I should use for new ejb client. Any hints or answers to this and I am forever in your debt.
-
17. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
mchoma Oct 31, 2017 1:02 PM (in response to gurras)My example provide way to get GSSCredential from JAAS Subject.
Waffle is providing JAAS Login module. So in theory you should be able to get JAAS Subject using waffle and then GSSCredential. But I admit that becomes complicated.
dlofthouse any hint how to call client with kerberos ticket, when that is present in byte[] form. Is it something Elytron could support?
-
18. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
gurras Nov 1, 2017 3:47 AM (in response to gurras)mchoma Where does your example retreive the GSSCredential from the JAAS subject? I could go for trying to retreive the JAAS subject as long as it doesn't involve GSS API and setting the windows registry flag.
-
19. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
mchoma Nov 1, 2017 4:56 AM (in response to gurras)sorry I am pretty sure I pasted (wanted to past) this somewhere on the forum recently
private GSSCredential getGSSCredential(Subject subject) { return Subject.doAs(subject, new PrivilegedAction() { @Override public GSSCredential run() { try { GSSManager gssManager = GSSManager.getInstance(); return gssManager.createCredential(GSSCredential.INITIATE_ONLY); } catch (Exception e) { e.printStackTrace(); } return null; } }); }
-
20. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
gurras Nov 1, 2017 8:32 AM (in response to mchoma)Thanks! Thats definately a start. Still unsure how to deal with creating a Subject from waffle, or even in that matter from the byte[] token since the subject is in need of credentials..
-
21. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
mchoma Jan 8, 2018 7:47 AM (in response to gurras)Alternatively in Wildfly 12 (or in master until WF 12 will be released) you can try new feature in Elytron; you can specify local-kerberos element in wildfly-config.xml.
In that case client will use kerberos ticket from cache and authenticate.
[1] Configuration of Kerberos with Elytron in WildFly · Honza