Jaas-请求可更新的Kerberos票证 [英] Jaas - Requesting Renewable Kerberos Tickets
问题描述
我有一个与Kerberos服务器通信并执行各种操作的Java API.到目前为止,我的API要求获得不可更新的Kerberos服务器票证.据我了解,jaas配置文件具有将renewTGT选项设置为true的选项,以便可以发行可更新票证.但是,Jaas在设置"renewUntil"时间方面似乎有很多限制.谁能告诉我如何索取可更新票并控制其可更新性?基本上,有没有一种方法可以执行Java等效的操作:kinit -R?预先感谢.
I have a Java API that talks to the Kerberos server and performs various operations. As of now, my API requests for non-renewable tickets to the Kerberos server. From what I understand, the jaas config file has an option to set the renewTGT option to true so that a renewable ticket can be issued. However, Jaas seems to have a lot of restrictions on setting the "renewUntil" time. Can anyone please tell me how we can request for arenewable ticket and also control its renewability? Basically, is there a way we can perform a Java equivalent of the operation : kinit -R ? Thanks in advance.
推荐答案
从JDK7(1.7.0_55)开始,JAAS Krb5LoginModule
不提供任何在身份验证时请求可再生TGT的选项,因此当前无法使用JAAS.您也许可以实现这一点,但是您需要绕过JAAS,直接使用内部Kerberos类.
As of JDK7 (1.7.0_55), JAAS Krb5LoginModule
does not provide any option to request a renewable TGT when authenticating, so this is not currently possible using JAAS. You might be able to achieve this, but you would need to use the internal Kerberos classes directly, bypassing JAAS.
在内部,Krb5LoginModule
使用提供的密码或keyTab实例化sun.security.krb5.KrbAsReqBuilder
以获取凭据. KrbAsReqBuilder
具有setOptions(KDCOptions options)
方法,但是在登录模块中未调用此方法.如果可以访问它,则可以调用KDCOptions#set(KDCOptions.RENEWABLE, true)
,如果KDC配置为允许可更新票证,那么我希望返回的票证可以更新.
Internally, Krb5LoginModule
instantiates a sun.security.krb5.KrbAsReqBuilder
to obtain credentials using either a provided password, or a keyTab. KrbAsReqBuilder
has a setOptions(KDCOptions options)
method, but this is not called in the login module. If it could be accessed, you could call KDCOptions#set(KDCOptions.RENEWABLE, true)
, and I would then expect the returned ticket to be renewable, if the KDC is configured to allow renewable tickets.
这篇关于Jaas-请求可更新的Kerberos票证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!