JAAS - fails to persist Kerberos ticket to cache file, and unable to create cache from scratch.. and other details

Question

I\'m developing a Java application that performs authentication with JAAS, should work as follows: (i) when the ticket for user uclient is already in local cach

Answer 1

You can't. Java does not support persisting your TGT or service tickets back to a file-based cache which can be used with MIT Kerberos or Heimdal. Oracle has some private classes to do this, but I wouldn't recommend doing this.

Answer 2

Finally I found an answer to the questions 1 + 2

The kinit command bundled with the java distribution is a java application that authenticates the user into the realm/domain and saves the acquired ticket inside a ccache file. The kinit command code is available in the sun.security.krb5.internal.tools package of the OpenJDK. The main class is sun.security.krb5.internal.tools.Kinit. In order to acquire (authenticate) and persist the Kerberos tickets you can copy all the tool package into your application and invoke from Kinit class the method main(String[] arv) by providing the cli arguments. You can also, as I have done, change the Kinit class in order to integrate better with your code.

Kinit code is very useful in order to understand inner workings of internal private Kerberos code and in order to customize it. For example there is a KDCOptions instance that you can manually configure in order to ask for a renewable ticket and much more. Let's study it! ;-)

Please consider that:

• there is not guarantee that interfaces of internal code will be left unchanged in the future JDK releases
• there is not guarantee that interfaces of internal code are the same between different JDK vendors.

I can confirm that my code is working fine with OpenJDK and Oracle JDK both.

The big picture

At the moment my application uses Jaas in order to authenticate by looking at Krb credentials in the local ccache file, in case of failure it executes the kinit code as mentioned above. Then, it authenticates with Jaas from the updated ccache file.

The next step

I'm currently trying to persist the Kerberos Ticket to ccache directly from the Credentials in a Subject Object.
I'll try to use the sun.security.krb5.internal.ccache.FileCredentialCache class but it looks a low-level way to go. Let's look at the use of CredentialCache abstract class in the kinit code, may be useful. I'll update the thread in case of success.

Thanks

Thank you to Michael-O that showed me the sun.security.krb5.internal package where I finally found out the kinit code.

Regards

Answer 3

The other questions.

3 - just for curiosity, is the Java JaaS able to manage the linux KEYRINGs ? (At the moment Jaas was not able to automatically manage them)

No, the internal Java Krb classes only manages files not KEYRINGs.

4 - Is Java JaaS only able to manage/persist tickets for the Default principal in the cache? - Or how do I manage with JaaS a situation where I have tickets for a lot of principals in a single cache file?

I found no simple way to manage collections (it's quite a recent standard), my personal choice is to create one cache file per principal.