You can create a Simple and Protected GSS-API Negotiation (SPNEGO) token for your applications and insert this token into the HTTP headers to authenticate to the WebSphere® Application Server.
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
Oid krb5MechOid = new Oid("1.2.840.113554.1.2.2");
Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2");
GSSManager manager = GSSManager.getInstance();
GSSName gssUserName = manager.createName(userName, GSSName.NT_USER_NAME, krb5MechOid);
clientGssCreds = manager.createCredential(gssUserName.canonicalize(krb5MechOid),
GSSCredential.INDEFINITE_LIFETIME,
krb5MechOid,
GSSCredential.INITIATE_ONLY);
clientGssCreds.add (gssUserName,
GSSCredential.INDEFINITE_LIFETIME,
GSSCredential.INDEFINITE_LIFETIME,
spnegoMechOid,
GSSCredential.INITIATE_ONLY);
Oid krb5MechOid = new Oid("1.2.840.113554.1.2.2");
Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2");
GSSManager manager = GSSManager.getInstance();
clientGssCreds = (GSSCredential) Subject.doAs(subject, new PrivilegedExceptionAction()
{
public Object run() throws GSSException, Exception
{
try {
gssName = manager.createName( userName,
GSSName.NT_USER_NAME,
getKrb5MechOid());
GSSCredential gssCred = manager.createCredential(
gssName.canonicalize(krb5MechOid),
GSSCredential.DEFAULT_LIFETIME,
krb5MechOid,
GSSCredential.INITIATE_ONLY);
gssCred.add (gssUserName,
GSSCredential.INDEFINITE_LIFETIME,
GSSCredential.INDEFINITE_LIFETIME,
spnegoMechOid,
GSSCredential.INITIATE_ONLY);
return gssCred;
} catch (GSSException gsse) {
} catch (Exception e) {
}
return null;
}
});
Oid krb5MechOid = new Oid("1.2.840.113554.1.2.2");
Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "true");
GSSManager manager = GSSManager.getInstance();
GSSName gssUserName = manager.createName(userName, GSSName.NT_USER_NAME, krb5MechOid);
clientGssCreds = manager.createCredential(gssUserName.canonicalize(krb5MechOid),
GSSCredential.INDEFINITE_LIFETIME,
krb5MechOid,
GSSCredential.INITIATE_ONLY);
clientGssCreds.add (gssUserName,
GSSCredential.INDEFINITE_LIFETIME,
GSSCredential.INDEFINITE_LIFETIME,
spnegoMechOid,
GSSCredential.INITIATE_ONLY);
Oid krb5MechOid = new Oid("1.2.840.113554.1.2.2");
Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
GSSManager manager = GSSManager.getInstance();
clientGssCreds = manager.createCredential(null,
GSSCredential.INDEFINITE_LIFETIME,
krb5MechOid,
GSSCredential.INITIATE_ONLY);
clientGssCreds.add(null,
GSSCredential.INDEFINITE_LIFETIME,
GSSCredential.INDEFINITE_LIFETIME,
spnegoMechOid, GSSCredential.INITIATE_ONLY);
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
AllowTGTSessionKey = 0x01 (DWORD)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
AllowTGTSessionKey = 0x01 (DWORD)
// create target server SPN
GSSName gssServerName = manager.createName(targetServerSpn, GSSName.NT_USER_NAME);
GSSContext clientContext = manager.createContext(gssServerName.canonicalize(spnegoMechOid),
spnegoMechOid,
clientGssCreds,
GSSContext.DEFAULT_LIFETIME);
// optional enable GSS credential delegation
clientContext.requestCredDeleg(true);
byte[] spnegoToken = new byte[0];
// create a SPNEGO token for the target server
spnegoToken = clientContext.initSecContext(spnegoToken, 0, spnegoToken.length);
URL url = new URL(targetUrl);
HttpURLConnection con= (HttpURLConnection) url.openConnection();
try {
// insert SPNEGO token in the HTTP header
con.setRequestProperty("Authorization", "Negotiate " + Base64.encode(spnegoToken));
con.getResponseCode();
} catch (IOException e) {
} catch (Exception ex) {
}
Your application might need a Kerberos configuration file
(krb5.ini or krb5.conf). Read about Creating a Kerberos configuration file for
more information.