是否可以从jaas.conf中的类路径引用keytab?
[英]Is it possible to reference a keytab from the classpath in jaas.conf?
问题描述
Is it possible to reference a keytab from the classpath in jaas.conf? 
是否可以从jaas.conf中的类路径引用keytab?
I have tried the below, but nothing seems to work: 我已经尝试了以下方法,但似乎无济于事:
Client{
keyTab=classpath: /mykeytab.keytab
}
Client{
keyTab=file: /mykeytab.keytab
}
Client{
keyTab=file: resources/mykeytab.keytab
}
1 个解决方案
解决方案1
3 已采纳 2018-06-25 18:38:17
As far as I know, it is not possible to use anything but an absolute path to a keytab in the jaas.conf file. 据我所知,除了jaas.conf文件中的keytab的绝对路径外,无法使用其他任何东西。
In the Krb5LoginModule.java , one sees (from, eg, Krb5LoginModule.java at github.com ) 在Krb5LoginModule.java ,可以看到(例如,从github.com的Krb5LoginModule.java中 )
if (useKeyTab) {
ktab = (keyTabName == null)
? KeyTab.getInstance()
: KeyTab.getInstance(new File(keyTabName));
And the .getInstance() code will use the .getPath() on the instantiated File object (see KeyTab.java ). .getInstance()代码将在实例化的File对象上使用.getPath() (请参见KeyTab.java )。
Consequently, there is nothing in the basic approach that will search the classpath. 因此,基本方法中没有什么可以搜索类路径。 Also, see this question here about keytab configuration as well . 另外,也请参阅此处有关keytab配置的问题 。
That said, and not shown in the OP's configuration file, it is possible to change the class from the usual "com.sun.security.authmodule.Krb5LoginModule" to a custom module. 就是说,并且没有在OP的配置文件中显示,可以将类从通常的“ com.sun.security.authmodule.Krb5LoginModule”更改为自定义模块。 In this custom module, one can then do things such as setting entries in the Map<String,?> parameter that is used in the initialize method of the Krb5LoginModule . 然后,在此自定义模块中,可以执行诸如在Krb5LoginModule的initialize方法中使用的Map<String,?>参数中设置条目之类的Krb5LoginModule 。
We have implemented such an approach to allow the various settings to be defined in our client application rather than trying to have our users edit a jaas.conf file on the client. 我们已经实现了这种方法,以允许在客户端应用程序中定义各种设置,而不是试图让用户在客户端上编辑jaas.conf文件。 So, we use a custom module that uses a Composition approach encapsulating a Krb5LoginModule, but sets all of the desired options into the Map`. 因此,我们使用一个自定义模块,该模块使用Composition方法封装了Krb5LoginModule, but sets all of the desired options into the Map`。
It is something like: 就像这样:
Map<String, String> mOpts = new HashMap<>(); // options
mOpts.put("doNotPrompt", Boolean.TRUE.toString());
mOpts.put("useTicketCache", Boolean.FALSE.toString());
mOpts.put("useKeyTab", Boolean.TRUE.toString());
mOpts.put("keyTab", options.getKeytabPath().toString());
mOpts.put("principal", PrincipalUtils.getDefaultPrincipal().getName());
krb5LM.initialize(_subject, options.getCallbackHandler(), mSS, mOpts);
//
// attempt to authenticate the user
//
krb5LM.login();
It is possible to search the classpath for a desired filename and then pass the found file to the Map . 可以在类路径中搜索所需的文件名,然后将找到的文件传递给Map 。 In the quasi-example above, the options object has pulled the keytab from the user's preferences and validated it. 在上面的准示例中, options对象已从用户的首options中拉出了keytab并对其进行了验证。 But rather than having a specific pre-browsed file, one could implement a search of the classpath. 但是,可以拥有一个对类路径的搜索,而不是拥有一个特定的预浏览文件。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.