可以为服务器端的客户端(远程用户)获取服务票据,以便使用该票证对另一个后端进行身份验证吗?
方案: 用户(IE)==> AppServer(Websphere,在Linux下)==>后端(webservice)
提前致谢
=====================
@迈克尔-O 所以......这应该是一步一步的?
1)登录AppServer用户(有权进行委托的用户)
2)以他的名义执行特权行动
3)在此用户和远程后端之间设置上下文
4)使用REMOTE USER SERVICE TICKET的initSecContext
5)作为上下文初始化的结果,我们应该让远程用户的服务票证访问远程后端
private static String getToken(byte[] remoteUserServiceTicket) {
String token = null;
byte[] serviceTicket = null;
try {
krb5Oid = new Oid("1.2.840.113554.1.2.2");
LoginContext loginCtx = new LoginContext("Krb5Login", new LoginCallbackHandler("APPSERVERUSER", "APPSERVERPASSWORD"));
loginCtx.login();
Subject subject = loginCtx.getSubject();
serviceTicket = Subject.doAs(subject, new PrivilegedAction<byte[]>(){
public byte[] run() {
try {
byte[] delegatedTokenForTheRemoteUser = new byte[0];
GSSManager manager = GSSManager.getInstance();
GSSName webServerUserName = manager.createName("APPSERVERUSER@MYDOMAIN", GSSName.NT_USER_NAME);
GSSCredential webServerCred = manager.createCredential(webServerUserName, 8 * 3600, krb5Oid,
GSSCredential.INITIATE_ONLY);
GSSName backendName = manager.createName("HTTP/mybackend@MYDOMAIN", null);
GSSContext context = manager.createContext(backendName, krb5Oid, webServerCred,
GSSContext.DEFAULT_LIFETIME);
delegatedTokenForTheRemoteUser = context.initSecContext(remoteUserServiceTicket, 0, remoteUserServiceTicket.length);
return delegatedTokenForTheRemoteUser;
} catch (GSSException e) {
e.printStackTrace();
return null;
}
}
});
} catch (Exception e) {
//exception handling omitted
}
token = Base64.encode(serviceTicket);
return token;
}