Java Kerberos票证续订TGT [英] Java Kerberos ticket renew TGT
问题描述
我正在POC之一中使用Krb5LoginModule.我提供了useDefaultCache = true和renewTGT = true.
I am using Krb5LoginModule in one of the POC. I have provided useDefaultCache=true and renewTGT=true.
尽管我提到过renewTGT = true,但票证过期时代码会引发异常.我已经在Windows注册表中将allowtgtsessionkey值设置为1(我正在运行XP SP2). KDC(ActiveDirectory)设置是默认设置.票证寿命= 10小时,续订请求阈值= 7天.
The code throws an exception when the ticket is expired although I have mentioned renewTGT=true. I have set up allowtgtsessionkey value to 1 in windows registry (I am running XP SP2). The KDC (ActiveDirectory) settings are default. Ticket lifetime = 10 hours and renewal request threshold = 7 days.
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import com.sun.security.auth.module.Krb5LoginModule;
public class Temp3 {
public static void main(String[] args) throws Exception {
System.setProperty("sun.security.krb5.debug", "true");
Subject subject = new Subject();
Krb5LoginModule krb5 = new Krb5LoginModule();
Map <String, String> map = new HashMap <String, String>();
map.put("useTicketCache", "true");
map.put("doNotPrompt", "true");
map.put("renewTGT", "true");
map.put("debug", "true");
krb5.initialize(subject, null, null, map);
krb5.login();
krb5.commit();
System.out.println(subject);
}
}
当票证未到期时(即我在运行上述代码的10小时内运行kinit的时间),该代码可以正常工作.
The code works fine when the ticket is not expired i.e the time I ran kinit within 10 hours of running the code above.
我之所以写此POC,是因为我必须使用SQL Server驱动程序(版本4.0)运行基于JDBC的应用程序.我不希望长时间运行的服务在数据库重新连接尝试期间失败,这可能是由于诸如网络故障导致管道中断之类的因素而发生的.
I wrote this POC because I have to run JDBC based applications using SQL Server driver (version 4.0). I don't want long running services to fail during the database reconnect attempts which might occur due to factors such as network glitch resulting in broken pipe.
推荐答案
您走错了路.您应该首先使用LoginContext
来获取凭据,并且不要直接与Kerberos 5交互.其次,非人为访问需要一个密钥表.这等效于TGT.导出服务器的Keytab并修改Krb5LoginModule
配置. 此教程将为您提供帮助
You are going the wrong way. Fist of all you should use LoginContext
to obtain credentials and not interact with Kerberos 5 directly. Second, non-human access needs a keytab. This is equivalent to a TGT. Export a Keytab for your server and modify the Krb5LoginModule
configration. This tutorial will help you.
这篇关于Java Kerberos票证续订TGT的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!