使用Kerberos S4U扩展（在Java 8中引入）使用JDBC连接到数据库 [英] Using Kerberos S4U extensions (introduced in Java 8) to connect to database using JDBC

问题描述

我用Java编码已经有一段时间了，所以我可能会遗漏一些明显的东西。我想通过JDBC连接到数据库（我需要支持很多 - SQL Server，MySQL等）。但是，我想使用Java 8中添加的Microsoft S4U Java扩展支持来实现Kerberos委派。我不希望用户必须在我的中间层服务器上输入他们的凭据。我想使用S4U代表用户获取我的中间层服务器的票证，并使用它通过doAs函数调用JDBC代码（Subject.doAs或doAsPrivileged）。

It's been a while since I coded in Java, so I may be missing something obvious. I want to connect to the database (I need to support many - SQL Server, MySQL, etc.) via JDBC. However, I want to use Microsoft S4U Java extension support that was added in Java 8 to achieve Kerberos delegation. I do not want the user to have to enter their credentials on my middle-tier server. I would like to use S4U to get a ticket for my middle-tier server on the user's behalf and use that to invoke the JDBC code via the doAs functions (Subject.doAs or doAsPrivileged).

我在Windows上使用C ++和ODBC添加了对协议转换和约束委派的支持。但我不知道如何用Java做同样的事情。关于Java的S4U文档很稀疏。此页面似乎包含最多信息 - http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-features.html 。该页面说已经在com.sun.security.jgss包中添加了一个新的公共方法（GSSCredential :: impersonate）来实现这些扩展。基于 http://docs.oracle .com / javase / 7 / docs / technotes / guides / security / jgss / single-signon.html ，我想我需要使用类LoginContext和Subject在JDBC连接调用上调用doAs，以便连接在Subject的凭据下进行。但是如何在混合中使用GSSCredential :: impersonate？

I have added support for protocol transition and constrained delegation on Windows using C++ and ODBC. But I don't know how to do the same with Java. The S4U documentation on Java is sparse. This page seems to contain the most information - http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-features.html. The page says "A new public method (GSSCredential::impersonate) has been added to the com.sun.security.jgss package to implement these extensions." Based on http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/single-signon.html, I was thinking that I need to use the classes LoginContext and Subject to invoke a doAs on a JDBC connection call so that the connection goes through under the Subject's credentials. But how do I use GSSCredential::impersonate in the mix?

谢谢，
Ed

Thanks, Ed

推荐答案

这是我在网上进行大量搜索后得到的代码：

This is the code I arrived at after a lot of spelunking online:

   GSSManager manager = GSSManager.getInstance();
   GSSCredential self  = manager.createCredential(GSSCredential.INITIATE_ONLY);
   GSSName user = manager.createName("myuser", GSSName.NT_USER_NAME);
   GSSCredential impCred = ((ExtendedGSSCredential)self).impersonate(user);

   Subject mySubject = new Subject();
   mySubject.getPrivateCredentials().add(impCred);
   PrivilegedAction action = new ClientAction();
   Subject.doAs(mySubject, action);

我现在得到GSSException：在GSS-API级别未指定失败（机制级别：尝试$ b） $ b获得S4U2self凭证失败！）在模拟通话中，我仍在调查。

I now get "GSSException: Failure unspecified at GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials failed!)" on the impersonate call, which I am still investigating.

这篇关于使用Kerberos S4U扩展（在Java 8中引入）使用JDBC连接到数据库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！