Class SunJaasKerberosTicketValidator

java.lang.Object
org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator
All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean, KerberosTicketValidator

public class SunJaasKerberosTicketValidator extends Object implements KerberosTicketValidator, org.springframework.beans.factory.InitializingBean
Implementation of KerberosTicketValidator which uses the SUN JAAS login module, which is included in the SUN JRE, it will not work with an IBM JRE. The whole configuration is done in this class, no additional JAAS configuration is needed.
Since:
1.0
  • Constructor Details

    • SunJaasKerberosTicketValidator

      public SunJaasKerberosTicketValidator()
  • Method Details

    • validateTicket

      public KerberosTicketValidation validateTicket(byte[] token)
      Description copied from interface: KerberosTicketValidator
      Validates a Kerberos/SPNEGO ticket.
      Specified by:
      validateTicket in interface KerberosTicketValidator
      Parameters:
      token - Kerbeos/SPNEGO ticket
      Returns:
      authenticated kerberos principal
    • afterPropertiesSet

      public void afterPropertiesSet() throws Exception
      Specified by:
      afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
      Throws:
      Exception
    • setServicePrincipal

      public void setServicePrincipal(String servicePrincipal)
      The service principal of the application. For web apps this is HTTP/full-qualified-domain-name@DOMAIN. The keytab must contain the key for this principal.
      Parameters:
      servicePrincipal - service principal to use
      See Also:
    • setRealmName

      public void setRealmName(String realmName)
      The realm name of the application. For web apps this is DOMAIN
      Parameters:
      realmName -
    • setMultiTier

      public void setMultiTier(boolean multiTier)
      Parameters:
      multiTier -
    • setKeyTabLocation

      public void setKeyTabLocation(org.springframework.core.io.Resource keyTabLocation)

      The location of the keytab. You can use the normale Spring Resource prefixes like file: or classpath:, but as the file is later on read by JAAS, we cannot guarantee that classpath works in every environment, esp. not in Java EE application servers. You should use file: there. This file also needs special protection, which is another reason to not include it in the classpath but rather use file:/etc/http.keytab for example.

      Parameters:
      keyTabLocation - The location where the keytab resides
    • setDebug

      public void setDebug(boolean debug)
      Enables the debug mode of the JAAS Kerberos login module.
      Parameters:
      debug - default is false
    • setHoldOnToGSSContext

      public void setHoldOnToGSSContext(boolean holdOnToGSSContext)
      Determines whether to hold on to the GSS security context or otherwise dispose of it immediately (the default behaviour).

      Holding on to the GSS context allows decrypt and encrypt operations for subsequent interactions with the principal.

      Parameters:
      holdOnToGSSContext - true if should hold on to context
    • setRefreshKrb5Config

      public void setRefreshKrb5Config(boolean refreshKrb5Config)
      Enables configuration to be refreshed before the login method is called.
      Parameters:
      refreshKrb5Config - Set this to true, if you want the configuration to be refreshed before the login method is called.