Java client hangs when kerberos ticket expires

2
votes

We have implemented Kerberos java client and it is working fine. However when the kerberos ticket expires Java client application is asking for username in the console which in turn makes application hanging. In tools like SoapUI we observed the system throws Unauthorized error when Kerberos ticket expired. We want to implement similar behaviour that is if Kerberos ticket expires Unauthorized error should be thrown instead of waiting for user input for credentials. Please help.

Setting up client system for Kerberos testing Step 1: Add key to windows registry: item value key hkey_local_machine\system\currentcontrolset\control\lsa\kerberos value name allowtgtsessionkey value type reg_dword value 0x01

Step 2: Add a java system property in ClientKerberosAuthentication.java main class: System.setProperty("javax.security.auth.useSubjectCredsOnly","false");

Step 3: Get a ticket granting ticket (tgt): Run the kinit utility to get a ticket-granting ticket. you can find this utility inthe /jre/bin directory. For example: C:\Program Files\Java\jdk1.7.0_79\bin\kinit spnuser7 Password : test@123

ClientKerberosAuthentication.java

public class ClientKerberosAuthentication { 
    public static Credentials getCredentials() {

            return new NTCredentials("", "", "desktop.test.com", "test.com");

}   
public static void main(String[] args) throws Exception {
    System.setProperty("sun.security.krb5.debug", "true");
    System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
    DefaultHttpClient httpclient = new DefaultHttpClient();
    try {
        httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, new SPNegoSchemeFactory());
        Credentials use_jaas_creds = getCredentials();
        httpclient.getCredentialsProvider().setCredentials(
                new AuthScope(null, -1, null),
                use_jaas_creds);
        HttpUriRequest request = new HttpGet("http://kerbserver7.com/kerbservice/Service1.svc?wsdl");
        HttpResponse response = httpclient.execute(request);
        HttpEntity entity = response.getEntity();
        System.out.println("----------------------------------------");
        System.out.println(response.getStatusLine());
        System.out.println("----------------------------------------");
        if (entity != null) {
            System.out.println(EntityUtils.toString(entity));
        }
        System.out.println("----------------------------------------");            
        EntityUtils.consume(entity);
    } finally {
        httpclient.getConnectionManager().shutdown();
    }
  }
}
1
javakerberos
You'll need to provide more details. Did you use JAAS?KevinO
@KevinO, I have updated with more details. Please have a look.Arul

1 Answers

3
votes

I believe the issue is a lack of a jaas configuration file. There should be a setting for java.security.auth.login.config. In the absence of a defined jaas.conf file, the doNotPompt setting is false (indicating it will prompt). This matches the behavior described in the OP's observation of a prompt.

The solution is to create a jaas configuration file and specify said file using the aforementioned property. In said jaas.conf file, set doNotPrompt=true.

Example:

com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  refreshKrb5Config=true
  useTicketCache=true
  renewTGT=true
  doNotPrompt=true
  useKeyTab=false
  storeKey=true
  debug=true
  ;
};

The primary discussion is in the JavaDocs at Krb5LoginModule

There is some additional information here: http://cr.openjdk.java.net/~weijun/special/krb5winguide-2/raw_files/new/kwin