Forums Register Login

Using Java 8 S4U2Proxy and S4U2Self - A good example needed

+Pie Number of slices to send: Send
I am trying to use S4U2Proxy and S4U2Self introduced in Java 8. Unfortunately I was not successfull in finding those many examples. My requirement is the client would send its certificate. I should then delegate (using kerberos) his request, connect to KDC, get the TGT, get the service ticket to contact another server on user's behalf and then finally contact the actual service by providing the service ticket. If you have a working example for some dummy client and server, it would be great.

I have a code base which does the following -
1) Using JaaS, the service which is supposed to impersonate successfully logs into to KDC.
2) I now have the JAAS subject. It cantains the kerberos ticket (TGT and alll).
3) within the scope of the scope of the "subject", I am now running the below code. But it fails with an error "Invalid option setting in ticket request. (101)". Obviously there is a basic issue in my that I am missing. This error is occuring even before a request is made to KDC.



Obviously there will be questions about how the SPN has been set in the KDC? Whether that service account is authorized for delegation? Has the right SPN been assigned to that service account? When the user "monkey" denies all sort of delegation? etc etc. Right now I feel I have made the right settings in KDC. My problem is the above is occuring even before it hits the KDC. Any valid inputs will help.
+Pie Number of slices to send: Send
After some reasearch, I was able to perform the S4u2self and s4u2proxy using java 8. Surpised that atleast one example should have been provided by Oracle documentation. Anyhow, I am now moving to next stage. Now another scenario that I have to handle is cross-domain kerberos certificate delegation. From the java 8 documentation that I have seen so far, it infers that currently cross-realm is not supported. Is it still true?
+Pie Number of slices to send: Send
Hi Nischit,

I have to work with S4U2Proxy and S4U2Self as well, but I too cannot find any good examples. You mentioned you were able to get a result. Would you mind sharing that result?


On a side note, while searching for a solution, I found you posted this question not just here but also at http://stackoverflow.com/questions/31051468/using-java-8-s4u2proxy-a-good-example-needed and https://community.oracle.com/thread/3758634. You should tell people when you cross post, so people won't waste time answering your question when it already has been answered somewhere else. This is somewhere in the FAQ (can't find the link right now).
I am displeased. You are no longer allowed to read this tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com


reply
reply
This thread has been viewed 1491 times.
Similar Threads
Consume a .NET kerberized web service
Getting 500 Internal server error on hitting the API with SSO using JAAS/GSS/Kerberos
JAAS Kerberos login on WebSphere
Need help with transparent single sign-on servlet filter
JBoss 5.1/JAAS/Kerberos Authentication - ERROR [UsersRolesLoginModule] Failed to load users/password
More...

All times above are in ranch (not your local) time.
The current ranch time is
Mar 28, 2024 15:34:32.