Enabling The JAAS Login Facility

IBM JGSS includes an optional JAAS login facility, which saves principal credentials and secret keys in the Subject of the application's JAAS login context. JGSS retrieves credentials and secret keys from the Subject by default. However, this feature can be disabled by setting the Java™ property javax.security.auth.useSubjectCredsOnly to false.

To use the JAAS login facility, an application must follow the JAAS programming model. It must create a JAAS login context and operate within the confines of a JAAS Subject doAs construct as illustrated in the following code segment:

static class JGSSOperations implements PrivilegedExceptionAction {

  public JGSSOperations() {}

    public Object run () throws GSSException {

    // JGSS application code goes/runs here

    }

  }

  public static void main(String args[]) throws Exception {

    // Create a login context that will use the callback handler com.ibm.security.auth.callback.Krb5CallbackHandler

    // There must be a JAAS configuration for "JGSSClient"

    LoginContext loginContext = new LoginContext("JGSSClient", new Krb5CallbackHandler());

    // Run the entire JGSS application in JAAS privileged mode

  Subject.doAsPrivileged(Subject.getSubject(), new JGSSOperations(), null);

}