如何在Java中实现Kerberos协议转换? (S4U2Self) [英] how to implement Kerberos protocol transition in Java? (S4U2Self)
问题描述
修改
现在我知道了我的需求.我需要在Java中实现Kerberos协议转换(S4U2Self). .Net中有示例,而Java中没有.
Now I know what I need. I need to implement Kerberos protocol transition (S4U2Self) in Java. There are examples in .Net, but none for Java.
有这个第三方库 Quest Java单一登录声称可以做到这一点.我已经下载了JAR,它看起来不错,但是我宁愿使用自定义实现而不是别人的代码(必须付费).
There is this third party library Quest Single Sign on for Java that claims to do that. I've downloaded the JAR and it looks good, but I would rather use a custom implementation instead of someone else's code (which have to be paid).
任何人都可以在需要做的事情上取得先机吗?是否有任何现有的开放Java API可以处理此问题?
Can anyone give any head start on what needs to be done? Any existing open Java API to handle this?
谢谢
之前的问题
此刻,我的应用程序仅知道用户ID,我需要使用Kerberos对该用户进行身份验证,创建服务票证并使用它来访问第三方服务.
At the moment my application only knows the user id, and I need to authenticate that user with Kerberos, create a service ticket and use it to access a third party service.
我的应用程序需要充当代理,并且需要代表所提供的用户ID向第三方服务发送请求.这是因为其他第三方应用程序受到限制.
My application needs to act like a proxy, and needs to send requests to the third party service on behalf of the provided user id. This is because there are constraints on other third party applications.
我无法以任何方式获取给定用户ID的密码,也无法从同一用户ID获得先前的服务凭单(以进行转发).我知道,这是管理员用户的凭据.
I can't get the password of the given user id in any way, nor get a previous service ticket from the same user id (to forward it). I do know, the credentials of an admin user.
是否有一种仅使用用户ID(主名称)创建服务令牌的方法?
Is there a way to create a service token using just the user id (principal name)?
也许是某种委托,其中已经对受信任的主体进行了身份验证并请求其他主体的服务票证?
Maybe some sort of delegation, in which a trusted principal is already authenticated and requests service tickets for other principals?
谢谢
推荐答案
S4U2self/S4U2proxy应该会出现在JDK 8中:
S4U2self/S4U2proxy is supposed to be coming in JDK 8:
- http://openjdk.java.net/projects/jdk8/features
- http://openjdk.java.net/jeps/113
同时,我正在查看 https://github.com/cconlon/kerberos -java-gssapi
(他的SWIG输入文件不包含gss_acquire_cred_impersonate_name,但是更改起来很简单.弄清楚如何使用它可能要花我一点时间.)
(His SWIG input file doesn't include gss_acquire_cred_impersonate_name but that's simple to change. Working out how to use it might take me a bit longer.)
这篇关于如何在Java中实现Kerberos协议转换? (S4U2Self)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
