Re: [ldap-sdk-discuss] GSSAPI

[Alon Bar-L. <alo...@gm...>]

On Sun, May 18, 2014 at 12:15 PM, Neil A. Wilson
<nei...@un...> wrote:
>
> On 05/17/2014 04:47 PM, Alon Bar-Lev wrote:
>>
>> Hi,
>>
>> As far as I understand from source (GSSAPIBindRequest.java).
>>
>> 1. There is no way to modify the login context name, it is hardcoded to:
>>
>>    private static final String JAAS_CLIENT_NAME = "GSSAPIBindRequest";
>>
>> This means that there can not be different setting at jaas.conf for
>> different setups.
>>
>> Please consider to enable override at GSSAPIBindRequest,
>> GSSAPIBindRequestProperties.
>
>
> I have added the ability to override the client name via GSSAPIBindRequest properties.
>
> However, since the LDAP SDK already allowed you to provide your own JAAS configuration file, you could have simply used different JAAS configuration files with different settings rather than one file with all the settings.

There can be single file per jre instance, so there can be singe
configuration per instance unless you provide the means to override
the context name as you have done.

Thank you for quick fix!

> The configuration file path is defined using a system property so you may have needed to add some protection against race conditions, but I would think it unlikely to have a client that needs to perform a high volume of concurrent Kerberos authentications with different settings.  At any rate, the new mechanism allows you to avoid that if you specify all the desired collections of settings in a single file.

The problem is having two or more instances leaving at same JRE.

For example running two web applications under J2EE application server
with different settings.

>> 2. There is no way to use system already authenticated GSSAPI, the
>> implementation always uses the LoginContext overriding system
>> credentials with credentials provided within the
>> GSSAPIBindRequest/Properties. I am not sure that there is a workaround
>> using current implementation.
>>
>> Please consider to support system credentials in case of GSSAPI as
>> this is what kerberos mostly about. I believe it is basically it means
>> to drop the LoginContext and the Subject.doAs(), calling the run
>> directly if password is null or other property is set.
>
>
> It is possible to leverage an existing authentication session through the use of a ticket cache.  I've tested this and verifies that it works on both Solaris and Linux.

So a custom jaas configuration must be provided, I will do that and
use (1) per profile, and declare several profiles with different
attributes.

Thank you so much for the support!

Another issue:

While reading the code, GSSAPIBindRequest I saw these:

    System.setProperty(PROPERTY_CONFIG_FILE, configFilePath);
    System.setProperty(PROPERTY_SUBJECT_CREDS_ONLY, "true");

There is no way to override these. If no system property is specified
then it creates its own temp file and sets the system property to use
the temp file. This conflicts with the way jboss is working[1] and may
be other application servers, virtually effecting the entire
application server without any way to override, and ignoring the their
settings.

There should be a way to leave the jaas settings alone without setting
anything at jre level.

This is true also for the DEFAULT_KDC_ADDRESS, PROPERTY_REALM,
removing the property if it was null at static context does not mean
that the web application did not set them during initialization,
although these can be easily overridden using the
GSSAPIBindRequestProperties, I think there should be a mode to not
change system state at all.

What do you think?

Regards,
Alon Bar-Lev

[1] https://docs.jboss.org/jbossas/docs/Server_Configuration_Guide/4/html/Security_on_JBoss-Defining_Security_Domains.html#Defining_Security_Domains-The_XMLLoginConfig_DTD

>> Regards,
>> Alon Bar-Lev
>>
>> ------------------------------------------------------------------------------
>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>> Instantly run your Selenium tests across 300+ browser/OS combos.
>> Get unparalleled scalability from the best Selenium testing platform available
>> Simple to use. Nothing to install. Get started now for free."
>> http://p.sf.net/sfu/SauceLabs
>> _______________________________________________
>> ldap-sdk-discuss mailing list
>> lda...@li...
>> https://lists.sourceforge.net/lists/listinfo/ldap-sdk-discuss
>>
>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> ldap-sdk-discuss mailing list
> lda...@li...
> https://lists.sourceforge.net/lists/listinfo/ldap-sdk-discuss
>