如何生成Kerberos安全令牌？

Question

I am working on a web based application and my application supports SSO (We use Kerberos protocol. The Active Directory mapping and SPN configurations are all done).

We are using GWT 2.4 for the GUI part and we support standalone and SSO modes for the application (We can switch between these modes using a utility). In the normal standalone mode, we show the user a login screen where in the user needs to enter the credentials to login. In the SSO mode, we directly take the user to the application bypassing the login screen. At the client side, we used to control this behavior by making GWT RPC calls.

Everything was working fine with this. Later we figured out that the application always used to show a blank screen when opened only in the first tab of IE browser. To resolve this problem, we replaced the GWT RPC's with GWT RequestBuilder. The problem was resolved. However, SSO functionality was not working as expected.

I introduced traces and figured out that the Authorization header does not get set explicitly with RequestBuilders. So, I encoded the username:password combination using Base64 and set this as the Authorization header.

Eg : Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

But this also did not solve my issue and I figured out the Negotiate header was not set. How do we set the Negotiate header ? When I was using GWT RPC's with the same configurations as described earlier, I never used to set the Negotiate header explicitly.

Please explain the significance of this header and how to generate it ? Below is the sample of the Negotiate header generated when I was using GWT RPC instead of RequestBuilder.

Negotiate       YIIMgQYGKwYBBQUCoIIMdTCCDHGgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCDDsEggw3YIIMMwYJKoZIhvcSAQICAQBuggwiMIIMHqADAgEFoQMCAQ6iBwMFACAAAACjggTXYYIE0zCCBM+gAwIBBaEfGx1URVNUQ09SRS5URVNULkRJUi5URUxTVFJBLkNPTaIuMCygAwIBAqElMCMbBEhUVFAbG2x4d2ViMDIyMS5pbi50ZWxzdHJhLmNvbS5hdaOCBHUwggRxoAMCARehAwIBDaKCBGMEggRfLXu0zawh9DwU3Stix9fB4HKqmDA/vuWFgB1k7sCNAf69MyQtNRWdjuWhXsN+yJQPXh6Zu1rKs7qD53NA5EvmVGQo29wrjtUA6KBvtC6L0IpvIbf32yl32oYQcWW0J8Zm5HSz4nNV7NhYo2hrPyDRqGzxTXGBql80W+9zKT+XmE8JMQkItLa3qdSd0ONZsTtofITB22TeBym5mR2usAoQOyfFIdtf19LUBO0ESM+5ix4w6/DZvSCslUfGzKFRefb9FR5L94uwfEfreDlC9UBJ1bLv02IDbM2Nd/5k8A9yfq/HvYDXtXnRwDWoF+UjAJ6k1xMJOVsgrHsxI/E5bqJN0eS+Sb6FIIOGEE/1F0At0auwWIeoOIRDFfT+KNnqKexY9fsGASZDUKvkHaT6IiAPCkB0byYwhSTcBsdP38dh/CclamSL7F6pknFPf4E2521sBINR3uhfwtpkzG3KweW/nNSfrOQUGf5GcU/1Xa2Yv3ArvQ5GvaK357secmkC3pOqg6tbL8LR1CJeTe5kf6yCwCcpxyxxfcpxmc0pcf0WGmINqky4TeeXfH909Xz5/8FODPd5lMbrtFubQP0jiNMxhoRf6Rt0FawAp1K0XbeT7ZBI09+q1NfWXJ3BVVih81nZqEUIGWWTEft4iL6DYTx6Ir5fqgmygJVzY5vk0gmlYZRYaE41GmHvjfUifdegXc3uK+bdC1fFbttEG9y/Pf24dccurXlowIiUhHLYGMPQrPwHwfLIR1+gmstbafW6HnYqdljOgsEphiuPPy58uuw9kfuM3pve4BL7uIylk7vslVs11vHplHLxLCk84b+5mB4ilsVrm6zs71JJOviPgjUo6W2akzVTXcGCeBVNPoqOSHH0ns4kXsqg1eyRNS4C3G/fGkj3D7JudvdnxawZkPDkd3QVrHVXdV4L7QFrZZUQcnHXh0VKXMJmsIDfcMvSIaI0KDEudXfTIq0tC4kuUf3hsiXwsUwW5lIH2uyWkPIoFoF9HdDOowPt7Md/FqvrUdeGBzx5zG8UShgg3NXqyAyRESuAq3uZ25flNPU+7tV7XTdFp5tacNF+lOdp3FAayWacMebAyYzAZnrE3uN6LgPhrM6ybYUumNuSqZ3Razs6et9BfYkLcF6/wH53frjElIol7UDK+tZGtIpTufw3c+CgadoinMCtQB7HraNR4xyNkeXNJdAqyzG2FVDfNN+nAARLnwBhV/+EUo7zxmS6IVNPDHOiwpC6wFAMVXw8RTknD9gRbJITQCa+0tqBhtKb+vmaWBWr51+LlRgjRLZk48d2uvEm7YD/VmfeND63NrWt6yiAQENOoM3RBYK2qt1wq/q+370xrrpEXu6yR33ZrRKFzQj+TIr6VPk8PPSZsig4KLrGqn8VZKTX/w7JpKHhfMyk0kIOFHJ2BS+VLNnwIWKeT8PFcxp8LgGZLrzdCgf90icMS7Hzr7if+DSe/hkuxLNLQeuoMkyFvLM0uvaoeZCApIIHLDCCByigAwIBF6KCBx8EggcbdcF5k5hMPZ8YFGTWLUnCMW4Xb+yRTIZqX1PM+2ArUtZ5fFK+JP0KAeZ6pBihfl7PKZNBu1nR+gQV54p55nExVBrZiGoB0iwV8dyTnRcsVQ7zZiMtGEZ2Q6ILHj07T2KsN1JV+oa9//TsFJq8a7/p19aWV+gDlv+dGYz5WYe51/WB6P2bb1xz1WXSPLus/TPCeF+7ybr0hOeVtqo7IR4YyRuUT5BAXqMuqf7q8Ng6S2Y5LCYGrmQYCK6FNtzMNVNwLzIngdw2Au7iA2bUHdVK0zrhtGvLB3K+HrfHkk39aUev8nwvX0TBHpp6sriz3F0Sm9WY/1RLFCM9DZG4Q4gGi/Ts0NXlarSXVQtB4+U0ZoQ4+iH+xjd4mTIlowqDfHQl4DXlGESPR/H576+ibRepLXdxU8uNxtmey7T+TPIjhTjD5gPQuWHPPwr4jnuixNKuHiRrCxdeZwcbKOzuyYjUfg1qLjhIkC4zFTfhmNNveeH7nvbFNHHqatJY0zoQwn+2mrwgwHfhAJzGLKHrA09tjnGejt9Miqike4B8G/7xuP/92oN1pfe1DmA077+/XVEoqeUlJbzW5txTykOzVa+LRVRLDiMdVkpaUqv3Kp59gaemYSl3QHRsucMGF4HbS8OzV6wJAx+rlK+ftxESwUevKIHMj71vLFpr57Yb27cPBoQDqBOChrHvxHRHxO7F88PS5ZHnlchT0Li5OdElOQLy/erg6c9pALoS4AWkB7bvajs5ATlieqR1jf6KrdUYAj4p0ammNIbKlZiNJd9VdPegwO+pGKNc5o9k18l8/54Obac5eCzQV+1b378s1+Ty2RCNr7bA/Fy9uda45bd4OD5hBypw/I86FUK8Kr7sTQLl1k2GCP19gqlzvkG74/S3h1XntHR/SxD54+vOhRQdJaS7W2EUYEOP3PfQRPIPKH9L88JOOj1w61iRADEfoNdJehtKZdIp0n5nJBz+5xcIVdmM7HarFd3RITOYcdKIvSJvidtN3RjY+XoWPmRMPGu3gUQzHGstsAR4xVycM6yFLElewaV9HmKKTkC3eci7ZyT/911uknNDsfv2lNi6nwoWXEU/su3fEYID7vt83NiOIc+RSfyDbdg+mzE4aK0cl0zryahlASt/RdOHujJ5rkaPB0egBEbhekQtFPO8UM/sSwCvyaZiPuBd8ToP1DtWwmmzim/gbOtA9QKDCAE3xSiLiQGRrqgr5d8Z9flGjg66wZn+RbQbiSHls+mlrcM5io2P4b0HTyPHxXQl9H3zdgvIKNoLls0ybfdTk6CK3j3UTbhkuWH9IoPmmuoUoVgxSRx7A8Wd+0sfUAwM27YwbfpVM6DF8OyNDfTloFF61V3p8RHEFNTKck3e4as1Y814QEOeKS3cYWSEWlLG1pXDl2atGgDCC0UiUR3pQVwGq7U5F1tgBxzdwlHZUG71u1KsQJe+CiUSXo0wEHb0Ic7dWM6DzH87XJ7eqynxfJZPMFFB1WdKMUVfZcqKh+F5tAYXsUtl3V2jE84F7tXEholWkK7ynMofIl6ckJ/Olg15f14mv5MT/p8gBbDJq/cTh55A8D2Y8Xb21w9wsj+BEup0LBB3w5il4nyrXENd81pAxn9amAiNohMxsXY+0R7LpS7QsBNm0FN9KsVBpvbn6K4sLQ8l8xHQ1CPz+DDHgO84l0/r608kQ0bEXwCRgef7zyS0/htHFa06nHV0+PC3NmKTXvhQSUH+8x5kfsvtYINT35/csL94zBr5YtB1ZkrFBU2kB33KyP/EBjQ85XoSLTStrziZOfi7zIxflldAbXRD0G98XbLNXilTN5h09EpCvqcS0D1ijRWLozY53VRoAUMhxmUEjXhF3FbBusakf/3mTT802ipIwt0qsiX+JMAX02nMBPJojtnhOcpzbZ+61wQRyvR6do0GUpNZERTbAaObbOT40w1ovL82XOVJPK+fMwZapRayNyaq4jAFmFSE8z0HTUq4/2GN8QZG3ZUeresn8UU6jGffgD4xuUoxkBQzzoiRbO29lUaNiuyL3W/6QLruB40C4tc9gTbHZRCsTK7D1E/OuunmnlzY1V081wsRikVg6M7HZgSBGhRU4UOGLKAl9A2ZudAhJPOyRewHsq4hkm9tp7p6+ToD6hNMxOiuC8ltkwM/8KA7I5ticvVPV60M+TWOLAn1IMB5es2uWSouzqewomkfQ3pXMVCgjOgQdA1521GLD2ly4aIq6F2LNA9azOdM4NewJHJTUClRK+r2Z/Eb54jhrVwphLoQI+1FanWFiORz1tKmZljY0T+hwU77Vt0hhSv+At77hp4hL4jpKlm/EWCPHAi0W1k5OEHmxXdCc35TZrrlZ6/MMZG2fMJJ5FRe8UGUpqq8pwGZLgilvjHXRPWiXYwvhtDYYGhvCyAvOBvzSlpdA7xWmBABGQ6DHw== 

Any help on this will be greatly appreciated.

Answer 1

Ok so here goes.

You need to do two things.

1. Invoke the LoginContext functionality using JAAS and get the context associated with creating the token header.

2. Creating the negotiate header with it.

For part 1:-

1.1 Create the file jaas.conf and put the following info inside it following :-

com.sun.security.jgss.krb5.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  doNotPrompt=false
  isInitiator=true
  debug=false;
};

1.2 Point to the file via java.security.auth.login.config to full path of this file.

1.3 LoginContext lc = new LoginContext(); lc.login(). 

1.3 will prompt for username and password and then create the appropriate context for part.

Now for actually creating the header:-

2.1 Create class TokenGenerator which implements PrivilegedExceptionAction<String>. In its run method do the following:-

   2.1.1  GSSName gssServerName = manager.createName(ServiceNameYouWannaConnectTo, null);
   2.1.2: GSSContext context = manager.createContext(gssServerName,
                spnegoOid, null, GSSCredential.DEFAULT_LIFETIME);

   2.1.3: byte spnegoToken[] = context.initSecContext(spnegoToken, 0, spnegoToken.length);

   2.1.3: byte[] encodedToken =  Base64.encodeBase64(spnegoToken);

   2.1.4: return new String(encodedToken, "UTF-8");

2.2 String negotiateHeaderBody = Subject.doAs(lc.getSubject(), new TokenGenerator());

After this you can prepend "negotiate" and viola you have the header. Important to note that my syntax isnt perfect but only approximately correct. I have also ommited steps like creating the gssmanager and spnegoOid, which is actually trivial. And finally this is the most basic form of creating the token. There are ways to make jaas.conf programmatic and even allow finer control over parameters used for token generation. Also this works only for Sun JDK, there is some tweaking required for jaas in case of IBM JDK.

If you have any issues let me know.