For a client I have been trying to get kerberos authentication to work for the following setup:
A Swing client application running on the user’s machine.
An enterprise application consisting of several EJB’s running on Weblogic 10.3.0.
The client application connects to the EJB’s remotely. Currently there is no security at all between the client and server applications.
The client application uses an initial context as such to create the connection to the server application:
private static Context getContext() throws Exception { Hashtable ht = new Hashtable(); ht.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory"); ht.put(Context.PROVIDER_URL, "t3://localhost:8001"); // Get a context for the JNDI lookup return new InitialContext(ht); }
The desire of the client are as followed:
- Secure the EJB’s to prevent unauthorized access.
- Provide single sign-on to allow users to log on to windows, and then start the application directly without logging in again.
- Also provide a measure to implement a password schema (size, no repetition of the same password, change the password every so often etc.)
The first point can easily be solved by using the @RolesAllowed annotation. This annotation requires the user to have a proper authorization for the EJB (method) to be present in order to call the EJB method.
For the third point we decided to use the existing Active Directory (which is present anyway as we need it for point 2). All the password strength requirements can be solved in Active Directory itself. This has the added advantage that there is only one location to administer users.
The second point is where we stranded. Authenticating using a username/password is relatively easy. Just extend the method above like this:
private static Context getContext(String username, String password) throws Exception { Hashtable ht = new Hashtable(); ht.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory"); ht.put(Context.PROVIDER_URL, "t3://localhost:8001"); ht.put(Context.SECURITY_PRINCIPAL, username); ht.put(Context.SECURITY_CREDENTIALS, password); // Get a context for the JNDI lookup return new InitialContext(ht); }
However I could not find a way to use Kerberos tokens instead of using a username and password. After much looking around and some help from myfear I found some lines on the Security Fundamentals page for Weblogic 10.3. This page states (for the EJB communication protocol):
Supports Generic Security Services Application Programming Interface (GSSAPI) initial context tokens. For this release, only usernames and passwords and GSSUP (Generic Security Services Username Password) tokens are supported.
This seems to indicate that kerberos tickets, and other token based authentication methods are not possible.
Currently I have only one option which is open. This would be to write a username/password authenticator which parses the password as if it would be a Kerberos service ticket. However the time needed to provide such an authenticator is not available for the project. Maybe something to research in the future.