所有
任何人都可以提供有关如何使用JAAS LoginContext对多个KDC / Realm组合进行身份验证的建议。换句话说,如果尝试1对领域A失败,请尝试领域B.
类似下面的伪代码。
与往常一样,非常感谢任何帮助。
查看plaincopy到clipboardprint?
[realms]
some.address.for.auth.one
{
kdc = some.address.one
}
some.address.for.auth.two
{
kdc = some.address.two
}
boolean loginSuccess = false;
try
{
LoginContext lc = new LoginContext(...);
//Try Realm 1
lc.login();
loginSuccess = true;
}
catch(LoginException le)
{
try
{
LoginContext lc2 = new LoginContext(...);
//Try Realm 2
lc2.login();
loginSuccess = true;
}
catch(LoginException le)
{
//...
}
}
return loginSuccess;
答案 0 :(得分:0)
这是可能的。例如,您可以将每个配置放在单独的文件中,然后在每次尝试开始时将Java路径传递给krb5.ini和login.conf文件:
boolean loginSuccess = false;
try
{
System.setProperty("java.security.krb5.conf", "C:\kerb\conf1\krb5.ini");
System.setProperty("java.security.auth.login.config", "C:\kerb\conf1\login.conf");
// in login.conf you can have defined path to keytab for this configuration
LoginContext lc = new LoginContext(...);
//Try Realm 1
lc.login();
loginSuccess = true;
}
catch(LoginException le)
{
try
{
System.setProperty("java.security.krb5.conf", "C:\kerb\conf2\krb5.ini");
System.setProperty("java.security.auth.login.config", "C:\kerb\conf2\login.conf");
// in login.conf you can have defined path to keytab for this configuration
LoginContext lc2 = new LoginContext(...);
//Try Realm 2
lc2.login();
loginSuccess = true;
}
catch(LoginException le)
{
//...
}
}
return loginSuccess;
这里描述了这两个系统属性: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html和 http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html
另一种可能是没有文件的配置。有一个LoginContext构造函数,它接受CallbackHandler(这里传递用户名和密码)和Configuration(这里传递login.conf中的参数)。 Kdc和realm可以在系统属性java.security.krb5.realm和java.security.krb5.kdc中传递