Open splashx opened 8 years ago
JAAS should be pretty configurable and there is a Kerberos module (not sure all the options)
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html
I may be mistaken, but not quite - the suggestion works when the user authenticates directly to KeyBox, e.g.:
user ----> https://keybox.example.com:8443/
I myself have tried this setup and it works without changing the code. Steps:
krb {
com.sun.security.auth.module.Krb5LoginModule required;
};
KeyBoxConfig.properties
username@EXAMPLE.COM
(EXAMPLE.COM = realm) and the kerberos passwordIn cases where a reverse proxy is providing user the access, e.g.:
user -----> https://reverse-proxy.example.com/ -------> https://keybox.example.com:8443/ in my case: user -----> apache with ProxyPass+Kerberos(authn)+LDAP(authz) -----> keybox
The user doesn't really see the keybox address in the address bar but reverse-proxy.example.com (that's good). However the authentication happens at the reverse proxy level (using mod_auth_kerb) - if authn is successful, the user is then forwarded to keybox: CURRENTLY: keybox presents the user with the standard username/password+otp login page DESIRED: present the user to enter only the OTB code since the username/password authentication already happened before.
That is possible becuase the reverse proxy sends out extra header info via http (REMOTE_USER, etc), so Keybox should be able to work with that...
Any plans to extend authentication? :)