3

Edit

Now I know what I need. I need to implement Kerberos protocol transition (S4U2Self) in Java. There are examples in .Net, but none for Java.

There is this third party library Quest Single Sign on for Java that claims to do that. I've downloaded the JAR and it looks good, but I would rather use a custom implementation instead of someone else's code (which have to be paid).

Can anyone give any head start on what needs to be done? Any existing open Java API to handle this?

Thanks

Question before

At the moment my application only knows the user id, and I need to authenticate that user with Kerberos, create a service ticket and use it to access a third party service.

My application needs to act like a proxy, and needs to send requests to the third party service on behalf of the provided user id. This is because there are constraints on other third party applications.

I can't get the password of the given user id in any way, nor get a previous service ticket from the same user id (to forward it). I do know, the credentials of an admin user.

Is there a way to create a service token using just the user id (principal name)?

Maybe some sort of delegation, in which a trusted principal is already authenticated and requests service tickets for other principals?

Thanks

jmend
  • 1,210
  • 4
  • 16
  • 30
  • How is the third-party service accessed by client code? This is exactly what Windows impersonation is for, so if the service isn't already written to use it, I don't think you'll have much luck. I don't think S4U will help on the client side; it allows (highly privileged) _services_ to construct impersonation tokens, without passwords and for their own use only (the tokens cannot be used on other machines). – anton.burger Apr 13 '12 at 10:32
  • Thanks, the third-party service is accessed through HTTP requests. They have an SPI, which returns the information the client code (my application) needs. The service does support Kerberos authentication, but the problem is that it will return different information depending of the user doing the request. – jmend Apr 13 '12 at 14:09

1 Answers1

1

S4U2self/S4U2proxy is supposed to be coming in JDK 8:

In the meantime, I'm looking at https://github.com/cconlon/kerberos-java-gssapi

(His SWIG input file doesn't include gss_acquire_cred_impersonate_name but that's simple to change. Working out how to use it might take me a bit longer.)

armb
  • 278
  • 2
  • 13