Kerberos Auth与JAAS和多个领域

时间:2012-11-29 13:32:41

标签: kerberos jaas

所有

任何人都可以提供有关如何使用JAAS LoginContext对多个KDC / Realm组合进行身份验证的建议。换句话说,如果尝试1对领域A失败,请尝试领域B.

类似下面的伪代码。

与往常一样,非常感谢任何帮助。

查看plaincopy到clipboardprint?

[realms]   
  some.address.for.auth.one  
  {  
     kdc = some.address.one  
  }  

  some.address.for.auth.two  
  {  
     kdc = some.address.two  
  }  

boolean loginSuccess = false;  

try  
{  
   LoginContext lc = new LoginContext(...);  
   //Try Realm 1  
   lc.login();  
   loginSuccess = true;  
}  
catch(LoginException le)  
{  
  try  
  {  
     LoginContext lc2 = new LoginContext(...);  
     //Try Realm 2  
     lc2.login();  
     loginSuccess = true;  
  }  
  catch(LoginException le)  
  {  
     //...  
  }  
}  

return loginSuccess;  

1 个答案:

答案 0 :(得分:0)

这是可能的。例如,您可以将每个配置放在单独的文件中,然后在每次尝试开始时将Java路径传递给krb5.ini和login.conf文件:

boolean loginSuccess = false;  

try  
{  
   System.setProperty("java.security.krb5.conf", "C:\kerb\conf1\krb5.ini");
   System.setProperty("java.security.auth.login.config", "C:\kerb\conf1\login.conf");
   // in login.conf you can have defined path to keytab for this configuration

   LoginContext lc = new LoginContext(...);  
   //Try Realm 1  
   lc.login();  
   loginSuccess = true;  
}  
catch(LoginException le)  
{  
  try  
  {  
     System.setProperty("java.security.krb5.conf", "C:\kerb\conf2\krb5.ini");
     System.setProperty("java.security.auth.login.config", "C:\kerb\conf2\login.conf");
     // in login.conf you can have defined path to keytab for this configuration

     LoginContext lc2 = new LoginContext(...);  
     //Try Realm 2  
     lc2.login();  
     loginSuccess = true;  
  }  
  catch(LoginException le)  
  {  
     //...  
  }  
}  

return loginSuccess;  

这里描述了这两个系统属性: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.htmlhttp://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html

另一种可能是没有文件的配置。有一个LoginContext构造函数,它接受CallbackHandler(这里传递用户名和密码)和Configuration(这里传递login.conf中的参数)。 Kdc和realm可以在系统属性java.security.krb5.realm和java.security.krb5.kdc中传递

http://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/LoginContext.html#LoginContext-java.lang.String-javax.security.auth.Subject-javax.security.auth.callback.CallbackHandler-javax.security.auth.login.Configuration-