Issue
I'm using GSSAPI in Java in order to login to an LDAP server using Kerberos authentication. I'm a newbie to Kerberos, so I'm sorry if this is an obvious question, but I couldn't find anything clear enough on the internet.
I perform the following steps:
- Define Login configuration by setting the system property
"java.security.auth.login.config"
to the configuration file path. - Call
LoginContext.login()
with the name of the configuration and a self defined callback handler - In case login succeeded, "pretend to be" the subject (by using
Subject.doAs()
), and connect to the LDAP server by creating a newInitialLDAPContext
with the appropriate environment variables.
Now, My problem is I don't understand which step correlates to which kerberos action? Is it correct to say that after the login action I only have a TGT? When do I get the service specific ticket?
Thanks, Dikla
Solution
The class com.sun.security.auth.module.Krb5LoginModule is Sun's implementation of a login module for the Kerberos version 5 protocol. Upon successful authentication the Ticket Granting Ticket (TGT) is stored in the Subject's private credentials set and the Kerberos principal is stored in the Subject's principal set.
(Taken from here)
This means that LoginContext.login
is indeed equal to kinit
in that after each of them, we have a TGT.
The service ticket will be obtained and used later - according to the action performed in Subject.doAs()
.
Answered By - Dikla
Answer Checked By - Clifford M. (JavaFixing Volunteer)