Kerberos Version 5 is used for both the authentication and secure
communication aspects of the client and server applications developed in
this tutorial. The reader is assumed to already be familiar with Kerberos.
See the
Kerberos reference documentation.
The JAAS framework, and the Kerberos mechanism required by the
Java GSS-API methods, are built into the version 1.4 JREs from all vendors.
(Actually, JAAS was available as a separately-downloadable
optional package starting in version 1.3.) The
Kerberos LoginModule required for the JAAS authentication in this tutorial
may not be available in all vendors' JREs. We will be using the LoginModule
for Kerberos provided in the JRE from Sun Microsystems (J2RE v 1.4).
In order to run the sample programs, you will need access to a Kerberos
installation. As described in the following sections, you may also need
a krb5.conf Kerberos configuration file and
an indication as to where that file is located.
As with all Kerberos installations, a Kerberos Key Distribution Center (KDC)
is required. It needs to contain
the user name and password you will use to be authenticated to Kerberos.
Note: A KDC implementation is part of a Kerberos installation, not a part of
the J2RE, v 1.4.
As with most Kerberos installations, a Kerberos configuration file
krb5.conf is consulted to determine such things as the
default realm and KDC. If you are using a Kerberos implementation
such as that from Microsoft for Windows 2000, which does not include
a krb5.conf file, you will either need to create one or
use system properties as described in
Setting Properties to Indicate the Default Realm
and KDC.
Typically, the default realm and the KDC for that realm
are indicated in the Kerberos krb5.conf
configuration file. However, if you like, you can instead specify these
values by setting the following system properties to indicate the
realm and KDC, respectively:
java.security.krb5.realm
java.security.krb5.kdc
If you set one of these properties you must
set them both.
Also note that if you set these properties, then no
cross-realm authentication is possible unless a
krb5.conf file is also provided from which
the additional information required for cross-realm authentication
may be obtained.
If you set values for these properties, then they override the
default realm and KDC values specified in krb5.conf (if such a file
is found). The krb5.conf file is still consulted if
values for items other than the default realm and KDC are needed.
If no krb5.conf file is found, then the default values
used for these items are implementation-specific.
Locating the krb5.conf Configuration File
The essential Kerberos configuration information is the default
realm and the default KDC. As shown in
Setting Properties to Indicate the Default Realm
and KDC, if you set properties to indicate these values,
they are not obtained from a krb5.conf configuration file.
If these properties do not have values set, or if other Kerberos
configuration information is needed, an attempt is made to find the
required information in a krb5.conf file.
The algorithm to locate the
krb5.conf file is the following:
If the system property java.security.krb5.conf is set, its
value is assumed to specify the path and file name.
If that system property value is not set, then the configuration file
is looked for in the directory
<java-home>\lib\security [Windows]
<java-home>/lib/security [Solaris and Linux]
Here <java-home> refers to the directory where the JRE
was installed. For example, if you have J2SDK v 1.4 installed on Solaris
in a directory named /jdk1.4, the directory in which the
configuration file is looked for is:
/jdk1.4/jre/lib/security
If the file is still not found, then an attempt is made to locate
it as follows:
If the file is still not found, and the configuration information
being searched for is not the default realm and KDC, then
implementation-specific defaults are used. If, on the other hand,
the configuration information being searched for is the
default realm and KDC because they weren't specified in system properties,
and the krb5.conf file is not found either, then
an exception is thrown.