| |
Injection of Customized JAAS Login Module |
|
|
Subject: Injection of Customized JAAS Login Module
Author: authen
In response to: JAAS Pluggable Login Module
Posted on: 10/20/2012 12:48:48 AM
In order for your customized login module to be injected, you have to tell JAAS the following:
Where to find your configuration file;
Which login module to load and how it is loaded.
Where to find your configuration file?
If you name your JAAS login configuration file as jaas_login.conf and put it under directory c:\temp, then you can instruct your JVM to find it by property setting:
System.setProperty("java.security.auth.login.config", "c:\\temp\\jaas_login.conf");
Which login module to load and how it is loaded?
The configuration file has the following structure:
myLoginEntity {
ModuleClass Flag Options;
ModuleClass Flag Options;
...
};
myLoginEntity {
ModuleClass Flag Options;
...
};
...
As an example:
myLoginEntity {
com.sun.security.auth.module.Krb5LoginModule required
principal="myName@MY_REALM"
useTicketCache=true
ticketCache="C:\\temp\\krb5cc_myName"
renewTGT=true
useKeyTab=true
keyTab="C:\\temp\\myName.keytab"
storeKey=true;
};
Which instructs that Krb5LoginModule is to be injected with required flag and the corresponding options:
using principal myName@MY_REALM as login name and retrieving TGT ticket from cache C:\temp\krb5cc_myName; if a valid ticket found, no need to proceed.
if ticket expired (renewTGT=true) or ticket not found, retrieving the private key from keytab C:\temp\myName.keytab; if key is not found, prompting user for password input;
requesting Kerberos authentication to KDC by using the above principal and private key (or password); Confirmed by WireShark traffic KRB5 with AS-REQ/AS-REP
storing (storeKey=true) the private key into Subject's private space after successful authentication.
Note:
By spec, when multiple mechanisms to retrieve a ticket or key is provided, the preference order looks like this:
---- 1. ticket cache
---- 2. keytab
---- 3. shared state
---- 4. user prompt
For example, if "principal" is provided both from config and user specified, the value from config would take precedence.
The keyTab's path must be double-quote protected, otherwise exception would be thrown.
The back-slash (\) in path must be escaped(\\), otherwise, keyTab would be ignored and the user's password would be used instead.
>
> On 10/20/2012 12:44:52 AM authen wrote:
JAAS implements a Java version of the standard Pluggable Authentication Module (PAM) framework. All login modules are implementing the common interface LoginModule:
+---------------+
| LoginModule | <-- {login,logout,...}
+---------------+
/ \
/ \
+-----------------+ +-----------------+
| MyLoginModule_1 | | MyLoginModule_2 | ...
+-----------------+ +-----------------+
For example, you can use com.sun.security.auth.module.Krb5LoginModule to handle Kerberos authentication to KDC.
References:
|
|
|
|
