Java Kerberos

The Kerberos System is an integral part of the Java Authentication and Authorization Service (JAAS).

Kerberos can be used in the LoginModule of the JAAS. The Kerberos class in Java is specified as com.sun.security.auth.module.Krb5LoginModule . When this is set in the jaas.conf as the LoginModule to use, the Kerberos protocol is used for authentication in the JAAS. As mentioned in earlier chapters, a subject is a user or other type of principal before it is authenticated. After it is authenticated, it becomes a principal , in this case, a KerberosPrincipal . The subject's private credentials will then be set with the KerberosTicket that will contain the keys, tokens, and other information that ensure the credentials of the principal.

This authentication is completed when the commit function is completed in the Krb5LoginModule . If the storeKey is set to true in the JAAS configuration file, the Krb5LoginModule stores the KerberosKey also as a private credential. If the useFirstPass is set in the JAAS configuration file, the LoginModule retrieves the username and password from the module's shared state using the javax.security.auth.login. name and the java.security.auth.login.password classes as the username and password keys.

If the authentication fails, there is no attempt for a retry and failure is reported . If the tryFirstPass is set to true, it operates like the useFirstPass except that if the authentication fails, the LoginModule uses the CallBackHandler to retrieve a new username and password. If it fails again, then a failure is reported back to the calling application. If the storePass is used, the username and password are stored even after authentication; otherwise if the clearPass is set, after authentication, the username and password are cleared. These are just some of the ways that the Krb5LoginModule class can use the client process for Kerberos.

The KerberosTicket class is the client class that sets up the ticket to communicate to the AS and TGS. To understand the fields and methods in this class, see the v5 ticket structure. The KerberosPrincipal class structures the name of the principal name; it takes the form of rich/admin/richware.com as described for v5.

In the JAAS framework, just like the specification itself, Kerberos uses the GSS-API. In Java, it uses the Java GSS-API. These are all included in the 1.4 JREs that also support the Sun LoginModule of Kerberos. To run the Sun implementation, the krb5.conf and KDC must be set up correctly. These settings are used to set up the realm. The realm can also be set in the following properties: java.security.krb5.realm and java.security.krb5.kdc . If you set one of these properties, you must set them both. The property java.security.krb5.conf is used to define the location of the krb5.conf to the Java application.

Like all LoginModules in JAAS, there is the process of authentication. The Kerberos LoginModule is very popular for authentication. In order to log in using a username and password, a principal must be represented as soon as the subject logs in. The javax.security.auth.Kerberos.KerberosPrincipal class in Java implements this representation in both Java and Kerberos. The naming of this key is defined in RFC 1964.

When a key is available in the Kerberos keytab , the LoginModule reads it from Kerberos and uses it as the secret key. The Java class to support this functionality is the javax.security.auth.Kerberos.KerberosKey class as part of the private credential set for using a key for the login of the principal. Using this functionality in a non-Java GSS (JGGS) implementation requires the use of the PrivateCredentialPermission from Java. Otherwise, when using JGSS, it will require the JAAS ServicePermission .

Another class that is used by the JAAS Kerberos LoginModule is the javax.security.auth.Kerberos.KerberosTicket class that is used to authenticate the principal to the KDC. The KerberosTicket is a wrapper around the Kerberos ticket mentioned in the Kerberos protocol and is used in both the requests and replies to and from the KDC. If using the JGSS, it also uses a ServicePermission that sets the permissions of the user based on the Kerberos PD from the KDC. Otherwise, the PrivateCredentialPermission of JAAS must be used to set the permissions of the principal because if JGSS is not being used to interface into the CSS-API, the KDC cannot set the principal's permission set using JASS.