Native Java support for Kerberos authentication uses system properties java.security.krb5.kdc
and java.security.krb5.realm
to specify which server exactly to ask to confirm user credentials. Is there any good way to authenticate on different servers with the same application?
Eg I'd want to authenticate user smith
on server peons.company.com
, but user johndoe
on bigbosses.company.com
. I could try to use System.setProperty()
to switch KDCs, but I have no idea if Java Kerberos implementation really supports that. Not to mention that it requires synchronization between threads and generally feel hacky.
[Please don't tell me how I could solve this with different server configuration, I don't control those.]
Read again the Oracle docs -- you need to set these two properties if and only if you cannot point to a full Kerberos config file. And note that...
if you set these properties, then no cross-realm authentication is possible unless a krb5.conf file is also provided
So, the sane thing to do is to forget about these properties, and instead point to a detailed, custom config file with java.security.krb5.conf
That Kerberos config will contain, among other things,
A.COMPANY.NET
trying to connect to a server from B.COMPANY.NET
must hop to the root COMPANY.NET
first, so you have to define that one in the list, too) The MIT documentation for krb5.conf is a bit dry but Google will get you some examples...
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.