2 Replies Latest reply on Oct 22, 2005 2:16 PM by Erik Sliman

    relationship between JAAS, JGSS, Kerberos and JBoss

    Eric Newbie


      I'm trying to understand the relationship between these technologies, perhaps someone could help me out.

      I understand that to authenticate a client, I need to use a combination of JAAS login modules. On the client, I'm required to use the ClientLoginModule that just grabs a username and password, and moves it to the server. On the server, I'll use some other login module (LDAP, database, etc) to actually validate that the given username / password combination is valid, populate the principal with roles, etc.

      My question is, where does JGSS (and Kerberos) fit into this mix? It seems like I could easily configure JAAS to authenticate a user with a given KDC and realm. If I do this on the client though, how would I pass this credential (the Kerberos tix) to JBoss? It seems that I have to pass the username / password data to the server via the simple ClientLoginModule... Besides concerns about possibly exposing my user's password, this makes single-logon impossible (I can't take advantage of the credential cache in the client, since I can't get the original password from the Kerberos ticket).

      I know this question is a bit open-ended, but I'm hoping someone will be interested in discussing single-logon options using Kerberos and JBoss. Is it even possible to do this with JBoss security?