JAAS Login
IBM JGSS features a JAAS Kerberos login interface. Usually JGSS obtains credentials from an existing Subject in the context. If no credentials can be found, JGSS can use this Kerberos login interface to acquire new credentials. This feature is optional and can be enabled by setting the Java™ property javax.security.auth.useSubjectCredsOnly to false. By default javax.security.auth.useSubjectCredsOnly is true.
| Option Name | Value | Default | Explanation |
|---|---|---|---|
| credsType | initiator|acceptor|both | initiator | JGSS credential type |
| debug | true|false | false | Turns debug on/off in login module |
| forwardable | true|false | false | Whether to acquire a forwardable TGT |
| moduleBanner | true|false | false | Display login module banner |
| principal | <string> | No default | Kerberos principal name |
| proxiable | true|false | false | Whether to acquire a proxiable TGT |
| tryFirstPass | true|false | false | Try password saved in shared state |
| useCcache | <URL> | Don't use cred cache | Retrieve TGT from the specified credential cache |
| useDefaultCcache | true|false | false | Retrieve TGT from the default credential cache |
| useDefaultKeytab | true|false | false | Retrieve the secret key from the specified key table |
| useFirstPass | true|false | false | Use the password saved in shared state |
| useKeytab | <URL> | Don't use key table | Retrieve the secret key from the specified key table |
| Option | credsType=initiator | credsType=acceptor | credsType=both | forwardable/proxiable/renewable | useCcache | useKeytab | useDefaultCcache | useDefaultKeytab | useFirstPass | renewTGT |
|---|---|---|---|---|---|---|---|---|---|---|
| credsType=initiator | N | N | X | X | X | |||||
| credsType=acceptor | N | N | X | X | X | |||||
| credsType=both | N | N | ||||||||
| forwardable/proxiable/renewable | X | X | X | |||||||
| useCcache | X | X | X | X | X | X | X | |||
| useKeytab | X | X | X | X | X | X | ||||
| useDefaultCcache | X | X | X | X | X | X | X | |||
| useDefaultKeytab | X | X | X | X | X | X | ||||
| useFirstPass | X | X | X | X | ||||||
| renewTGT | X | X | X | X | X |
All parts of a multi-part principal name must be specified. For example, "secure/ibm.com@IBM.COM". If omitted, the realm name is obtained from the Kerberos configuration file.
JAAS requires strings containing characters such as '_' (underscore), ':' (colon), '/' (forward slash), and '\' (back slash) that might be construed as delimiters to be quoted.
Krb5LoginModule might prompt for a principal name, password or both. Or it might not prompt for any input whatsoever. Whether or not the login is interactive depends on the options specified in the JAAS configuration file. For example, the login proceeds non-interactively when the credential type is initiator and a Kerberos TGT is to be retrieved from a default credentials cache file. On the other hand,a user is prompt for useCcache where user can specify a different credentials cache file if useDefaultCcache is set to false. If no value is entered, , a user is prompted for a password (and, perhaps, a principal name) when a TGT is to be obtained from a Kerberos KDC. When the login is interactive, the application must specify com.ibm.security.auth.callback.Krb5CallbackHandler as the callback handler when creating the login context. The callback handler is responsible for prompting for input.
When credential type both is required, Krb5LoginModule obtains both a TGT (for initiating contexts) and a secret key (for accepting contexts). There must be sufficient information in the JAAS configuration file for the two types of credentials to be acquired. Recall that only principal name and password can be prompted for.
For credential types accept and both, the login module assumes a service principal.