All geek questions in one place

Delegate / forward Kerberos tickets with Spring Security

I'm trying to find information on whether Kerberos Spring's security implementation delegates / forwards ticket tickets so that my application server can call other Kerberos services that reuse TGT principles? Any documentation on this subject would be highly appreciated. Hooray!

+4
source share
3 answers

Spring Security does not implement any Kerberos features. If you refer to kerberos extension , then the answer will be no. This is just authentication, and it is just a shell of the Java JAAS Krb5LoginModule Java API.

+2
source

This is possible after the release of Spring Security Kerberos 1.0.0.

SunJaasKerberosTicketValidator can be configured to store the authentication context:

 ticketValidator.setHoldOnToGSSContext(true);

Here is the code to get you started:

 Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); if (authentication instanceof KerberosServiceRequestToken) { KerberosServiceRequestToken token = (KerberosServiceRequestToken) authentication; if (token.getTicketValidation() == null) { // No delegation possible... } else { GSSContext context = token.getTicketValidation().getGssContext(); // ... } }
+3
source

As Koraktor mentioned, the SunJaasKerberosTicketValidator class contains information that is equivalent to a JAAS configuration file. However, the SunJaasKerberosTicketValidator isInitiator flag isInitiator set to false. This causes context.getCredDeleg() return false and you cannot delegate credentials. I did a POC where my observation isInitiator delegation / forwarding only if isInitiator set to true.

I solved this problem by writing my own TicketValidator , all of the SunJaasKerberosTicketValidator preserved as it is, except that I changed the isInitiator flag entry to options.put("isInitiator", "true");

0
source

Source: https://habr.com/ru/post/1435481/

More articles:


All Articles