Injection of Customized JAAS Login Module

Subject: Injection of Customized JAAS Login Module
Author: authen
In response to: JAAS Pluggable Login Module
Posted on: 10/20/2012 12:48:48 AM

In order for your customized login module to be injected, you have to tell JAAS the following:

Where to find your configuration file;

Which login module to load and how it is loaded.

Where to find your configuration file?
If you name your JAAS login configuration file as jaas_login.conf and put it under directory c:\temp, then you can instruct your JVM to find it by property setting:

  System.setProperty("java.security.auth.login.config", "c:\\temp\\jaas_login.conf");

Which login module to load and how it is loaded?
The configuration file has the following structure:

      myLoginEntity {
          ModuleClass  Flag  Options;
          ModuleClass  Flag  Options;
          ...
      };
      myLoginEntity {
          ModuleClass  Flag  Options;
          ...
      };
      ...

As an example:

myLoginEntity {
    com.sun.security.auth.module.Krb5LoginModule required
    principal="myName@MY_REALM"
    useTicketCache=true
    ticketCache="C:\\temp\\krb5cc_myName"
    renewTGT=true
    useKeyTab=true
    keyTab="C:\\temp\\myName.keytab"
    storeKey=true;
};

Which instructs that Krb5LoginModule is to be injected with required flag and the corresponding options:

using principal myName@MY_REALM as login name and retrieving TGT ticket from cache C:\temp\krb5cc_myName; if a valid ticket found, no need to proceed.

if ticket expired (renewTGT=true) or ticket not found, retrieving the private key from keytab C:\temp\myName.keytab; if key is not found, prompting user for password input;

requesting Kerberos authentication to KDC by using the above principal and private key (or password); Confirmed by WireShark traffic KRB5 with AS-REQ/AS-REP

storing (storeKey=true) the private key into Subject's private space after successful authentication.

Note:

By spec, when multiple mechanisms to retrieve a ticket or key is provided, the preference order looks like this:
---- 1. ticket cache
---- 2. keytab
---- 3. shared state
---- 4. user prompt
For example, if "principal" is provided both from config and user specified, the value from config would take precedence.

The keyTab's path must be double-quote protected, otherwise exception would be thrown.

The back-slash (\) in path must be escaped(\\), otherwise, keyTab would be ignored and the user's password would be used instead.

>
> On 10/20/2012 12:44:52 AM authen wrote:

JAAS implements a Java version of the standard Pluggable Authentication Module (PAM) framework. All login modules are implementing the common interface LoginModule:
+---------------+ | LoginModule | <-- {login,logout,...} +---------------+ / \ / \ +-----------------+ +-----------------+ | MyLoginModule_1 | | MyLoginModule_2 | ... +-----------------+ +-----------------+

For example, you can use com.sun.security.auth.module.Krb5LoginModule to handle Kerberos authentication to KDC.

References:

Next Post: How to create my own JAAS login module authen 10/20/2012 12:53:55 AM
Previous Post: JAAS Pluggable Login Module authen 10/20/2012 12:44:52 AM
Next Topic: How to display line numbers in Eclipse IDE Alex_Raj 10/23/2012 06:56:04 PM
Previous Topic: RequestDispatcher.include vs. RequestDispatcher.forward WebSpider 09/17/2012 02:39:34 PM
Index: by Date
Index: by Topic