Authenticating with different Kerberos KDC in the same Java application
Question
Native Java support for Kerberos authentication uses system properties java.security.krb5.kdc and java.security.krb5.realm to specify which server exactly to ask to confirm user credentials. Is there any good way to authenticate on different servers with the same application?
Eg I'd want to authenticate user smith on server peons.company.com , but user johndoe on bigbosses.company.com . I could try to use System.setProperty() to switch KDCs, but I have no idea if Java Kerberos implementation really supports that. Not to mention that it requires synchronization between threads and generally feel hacky.
[Please don't tell me how I could solve this with different server configuration, I don't control those.]
1 answers
solution1
3 ACCPTED 2017-01-14 21:55:44
Read again the Oracle docs -- you need to set these two properties if and only if you cannot point to a full Kerberos config file. And note that...
if you set these properties, then no cross-realm authentication is possible unless a krb5.conf file is also provided
So, the sane thing to do is to forget about these properties, and instead point to a detailed, custom config file with java.security.krb5.conf
That Kerberos config will contain, among other things,
- the list of realms with their specific KDCs (the primary, and optionally the failover)
- the mapping of servers to realms (if you need to obtain Kerberos service tickets for your authenticated users on other servers)
- the trust relationships between realms (by default, a principal from
A.COMPANY.NETtrying to connect to a server fromB.COMPANY.NETmust hop to the rootCOMPANY.NETfirst, so you have to define that one in the list, too)
The MIT documentation for krb5.conf is a bit dry but Google will get you some examples...
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.