How to achieve Parallel Authentication using Kerberos?
Question
I have a requirement to make multiple independent micro service calls in parallel in Spring Boot (Java) in order to address the performance issue in making sequential calls and these micro services are authenticated using Kerberos.
When I initially tried to make these calls as parallel, I understood that the Kerberos Ticket and the Token will be invalidated when initiating the parallel request as the previous ticket will no longer be valid, but I would like to listen from other experts here if there's any other way that we can achieve this.
2 answers
solution1
1 2022-12-13 02:24:53
Maybe you can cache the ticket and the token on Kerberos' server-side.
solution2
0 2022-12-17 10:19:53
When I initially tried to make these calls as parallel, I understood that the Kerberos Ticket and the Token will be invalidated when initiating the parallel request as the previous ticket will no longer be valid, but I would like to listen from other experts here if there's any other way that we can achieve this.
No, the ticket is multiple-use and never invalidated (until it reaches the ~10h expiry) – you can see in klist that the same ticket stays around across multiple runs. Only the token built out of a ticket + verifier is single-use, but the application can freely create as many tokens from a single cached ticket as it wants.
When using eg HTTP, normally you (or the HTTP client library) would call the GSSAPI or Kerberos library to start a new "security context" and get a new token immediately before every HTTP request. It's fine to start multiple GSSAPI contexts and get multiple tokens in parallel; the GSSAPI/Kerberos library will take care of acquiring and caching the service ticket.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.