java代码:
package com.snsprj.jaas0822; import javax.security.auth.*; import javax.security.auth.callback.*; import javax.security.auth.login.*; import com.sun.security.auth.callback.TextCallbackHandler; /** * This JaasAcn application attempts to authenticate a user * and reports whether or not the authentication was successful. * * Created by skh on 2017/8/22. */ public class JaasAcn { public static void main(String[] args) { String path = "/workspace/idea/ssm/src/test/java/com/snsprj/jaas0822/"; System.setProperty("java.security.auth.login.config", path + ""); System.setProperty("java.security.krb5.conf", path + "krb5.conf"); // System.setProperty("java.security.krb5.realm", "SNSPRJ.COM"); // System.setProperty("java.security.krb5.kdc", "kerberos.snsprj.com"); // sun.security.krb5.debug System.setProperty("sun.security.krb5.debug", "true"); // Obtain a LoginContext, needed for authentication. Tell it // to use the LoginModule implementation specified by the // entry named "JaasSample" in the JAAS login configuration // file and to also use the specified CallbackHandler. LoginContext lc = null; try { lc = new LoginContext("JaasSample", new TextCallbackHandler()); // attempt authentication try { lc.login(); } catch (LoginException le) { le.printStackTrace(); System.err.println("Authentication failed:"); System.err.println(" " + le.getMessage()); System.exit(-1); } } catch (LoginException le) { System.err.println("Cannot create LoginContext. " + le.getMessage()); } catch (SecurityException se) { System.err.println("Cannot create LoginContext. " + se.getMessage()); System.exit(-1); } System.out.println("Authentication succeeded!"); } }
这里有两个配置文件,其中jaas.conf配置如下:
/** Login Configuration for the JaasAcn and ** JaasAzn Applications **/ JaasSample { com.sun.security.auth.module.Krb5LoginModule required debug=true refreshKrb5Config=true; };
krb5.conf可以直接从kerberos服务器中copy过来使用即可,配置内容如下:
# Configuration snippets may be placed in this directory as well [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = SNSPRJ.COM default_ccache_name = KEYRING:persistent:%{uid} # use tcp udp_preference_limit = 1 # kdc_timeout = 60000 [realms] SNSPRJ.COM = { kdc = kerberos.snsprj.com admin_server = kerberos.snsprj.com } [domain_realm] .snsprj.com = SNSPRJ.COM snsprj.com = SNSPRJ.COM
参考资料:
JAAS Authentication:http://docs.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/AcnOnly.html