pondělí 1. ledna 2018

How to use SSO with your JAVA application?

Some weeks ago I've recieved an interesting task - use passwordless access to the database. I have to use the Kerberos ticket from LSA cache and pass it to the database on Windows 7. It looks easy, or...?

You have to run regedit and add following key to your registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01
Then you have to create jaas config (jaas.cfg) file with following content:

    com.sun.security.jgss.krb5.initiate {
        com.sun.security.auth.module.Krb5LoginModule
        required
        useTicketCache=true
        doNotPrompt=false
    };

Where to put this config?

  • The JRE looks for a default jaas.conf in “file:${user.home}/.java.login.config”
  • You can add configuration files to java.security located in “lib/security” in the JRE base directory like so: “login.config.url.1=file:C:/somewhere/.java.login.config”
  • Or you can specify the jaas configuration on the command line with: 
    • “-Djava.security.auth.login.config=path_to_file”

Then you have to do one very important thing - you have to run your application as a local admin. Without this condition it is definitely not working. If you have another experience with SSO / JAVA on Windows, let me know in the discussion below. And of course, you have to change the JDBC connection string to be "Kerberos ready". For example for Teradata it is LOGMECH=KRB5.

P.S. Very nice documentation is here: http://cr.openjdk.java.net/~weijun/special/krb5winguide-2/raw_files/new/kwin



Žádné komentáře: