org.springframework.security.kerberos.authentication.sun

Class SunJaasKerberosTicketValidator

java.lang.Object

org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator

All Implemented Interfaces:

org.springframework.beans.factory.InitializingBean, KerberosTicketValidator

public class SunJaasKerberosTicketValidator
extends java.lang.Object
implements KerberosTicketValidator, org.springframework.beans.factory.InitializingBean

Implementation of KerberosTicketValidator which uses the SUN JAAS login module, which is included in the SUN JRE, it will not work with an IBM JRE. The whole configuration is done in this class, no additional JAAS configuration is needed.

Since:

1.0

Author:

Mike Wiesner, Jeremy Stone

Constructor Summary

Constructors

Constructor and Description
SunJaasKerberosTicketValidator()

Method Summary

Methods

Modifier and Type	Method and Description
void	afterPropertiesSet()
void	setDebug(boolean debug) Enables the debug mode of the JAAS Kerberos login module.
void	setHoldOnToGSSContext(boolean holdOnToGSSContext) Determines whether to hold on to the GSS security context or otherwise dispose of it immediately (the default behaviour).
void	setKeyTabLocation(org.springframework.core.io.Resource keyTabLocation) The location of the keytab.
void	setServicePrincipal(java.lang.String servicePrincipal) The service principal of the application.
KerberosTicketValidation	validateTicket(byte[] token) Validates a Kerberos/SPNEGO ticket.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SunJaasKerberosTicketValidator

public SunJaasKerberosTicketValidator()

Method Detail

validateTicket

public KerberosTicketValidation validateTicket(byte[] token)

Description copied from interface: KerberosTicketValidator

Validates a Kerberos/SPNEGO ticket.

Specified by:

validateTicket in interface KerberosTicketValidator

Parameters:

token - Kerbeos/SPNEGO ticket

Returns:

authenticated kerberos principal

afterPropertiesSet

public void afterPropertiesSet()
                        throws java.lang.Exception

Specified by:

afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean

Throws:

java.lang.Exception

setServicePrincipal

public void setServicePrincipal(java.lang.String servicePrincipal)

The service principal of the application. For web apps this is HTTP/full-qualified-domain-name@DOMAIN. The keytab must contain the key for this principal.

Parameters:

servicePrincipal - service principal to use

See Also:

setKeyTabLocation(Resource)

setKeyTabLocation

public void setKeyTabLocation(org.springframework.core.io.Resource keyTabLocation)

The location of the keytab. You can use the normale Spring Resource prefixes like file: or classpath:, but as the file is later on read by JAAS, we cannot guarantee that classpath works in every environment, esp. not in Java EE application servers. You should use file: there. This file also needs special protection, which is another reason to not include it in the classpath but rather use file:/etc/http.keytab for example.

Parameters:

keyTabLocation - The location where the keytab resides

setDebug

public void setDebug(boolean debug)

Enables the debug mode of the JAAS Kerberos login module.

Parameters:

debug - default is false

setHoldOnToGSSContext

public void setHoldOnToGSSContext(boolean holdOnToGSSContext)

Determines whether to hold on to the GSS security context or otherwise dispose of it immediately (the default behaviour).

Holding on to the GSS context allows decrypt and encrypt operations for subsequent interactions with the principal.

Parameters:

holdOnToGSSContext - true if should hold on to context