Java Kerberos LibraryKerberos Authentication for J2EE ApplicationsIf you're looking to develop your own applications and require a Java Kerberos library, you can leverage the one included in Vintela Single Sign-on for Java. Vintela Single Sign-on for Java's Java Kerberos library provides the functionality necessary to deliver single sign-on for Active Directory and other Kerberos environments and supports Java / Microsoft interoperability.
Vintela Single Sign-on for Java's Java Kerberos library is a pure Java implementation of the Kerberos protocol and allows developers to integrate Kerberos functionality for authentication and single sign-on with Microsoft's Active Directory and MIT Kerberos servers into their applications. The Java Kerberos library provides an API for Kerberos ticket requests, a Java binding of the GSS-API implementation, and user-to-service and user-to-user Kerberos authentication mechanisms. The library includes full API documentation and examples.
How Is Vintela Single Sign-on for Java's Java Kerberos Library Different from Sun's Implementation?
The library works on all versions of JDK from 1.2.2 onwards and provides a number of advantages over Sun's implementation in JDK 1.4 including:
| Feature |
Sun |
Vintela Single Sign-on for Java |
| JDK Support |
JDK 1.4 and above only. |
Works on all versions of JDK from version 1.2.2 onwards. |
| API Support |
An implementation of JGSS using built-in JAAS LoginModules with little scope for extension. |
A 'raw' Kerberos API in addition to an implementation of JGSS. This allows customization of ticket requests (for example, to include alternative pre-authentication data when requesting a TGT). |
| Cryptographic Support |
DES only. |
DES, TripleDES (used in MIT Kerberos) and RC4® (used in Microsoft Windows 2000) Kerberos encryption types. Note: DES uses only 56 bit keys, which is not generally considered secure enough in today's environment. |
| Supported GSS-API Mechanisms |
User-to-service only. |
User-to-service and user-to-user. |
| Microsoft Windows 2000 Support |
Fails for users belonging to many groups due to large tickets (no support for TCP fallback). |
Supports Microsoft Windows 2000 'large tickets'. |
| Pre-authentication Support |
No pluggable support for pre-authentication. |
Flexible pre-authentication during initial authentication. |
| Password Management |
None. |
API for password changing and setting. |
| Access to Underlying Kerberos Information |
Generic GSSAPI support only. |
Has GSSAPI hooks into Kerberos functionality like inspection of peer tickets & setting of delegation options. |
| Support for Inter-realm Authentication |
No support. |
Supports cross-domain and cross-forest operation. |
| Discovery of KDCs |
Manually configured via system properties. |
Supports DNS discovery of KDCs specifically for use with Active Directory. |
Key Features
Vintela Single Sign-on for Java's Java Kerberos Library Includes
| Component |
Description |
| Support for Large-scale Directory Deployments with Active Directory Sites |
Vintela Single Sign-on for Java's Java Kerberos library supports large-scale Microsoft's Active Directory deployments through Active Directory sites, including support for replication, redundancy and load balancing. |
| Identity Federation with Cross-realm and Cross-forest Authentication |
Vintela Single Sign-on for Java's Java Kerberos library supports both cross-realm authentication with MIT and Microsoft Windows KDCs, and cross-forest authentication with Windows 2003. This support is provided transparently via the GSS-API. |
| Identity Integration with Active Directory |
The Java Kerberos library provides additional features to enable tight integration with Active Directory with Windows 2000 and Windows Server 2003, including:
- Support for Windows native credential cache
- An API for administrator password resets with Active Directory accounts
- DNS discovery of KDCs
|
| Support for Kerberos-based Single Sign-on |
The Java Kerberos library provides the functionality necessary to deliver single sign-on for Active Directory and other Kerberos environments. |
| Standard Java GSS-API for Application-level Messaging |
The GSS-API standardized by the IETF RFC 1508 - Generic Security Service Application Programming Interface provides a high-level security, mechanism-independent, transport-neutral API to security services. Two GSS-API mechanisms (user-toservice and user-to-user) have been defined for Kerberos. GSS-API is the preferred API for Kerberizing applications. |
| Simplifed Integration with Java Applications |
In addition to the GSS-API, Vintela Single Sign-on for Java's Java Kerberos library supports the standard Java Authentication and Authorization Service (JAAS) API, and provides a login module allowing Java clients to use Kerberos for single sign-on. |
| Kerberos API for Credential and Password Management |
In addition to the standard JGSS and JAAS support, the Java Kerberos library also provides a custom Kerberos API that provides access to more Kerberos-specific functionality. Using this API allows you to do a number of things whic are not possible with JGSS and JAAS, for example, issuing custom ticket requests that use different pre-authentication data, changing passwords, or accessing authorization data. |
| Supports a Wide Range of Encryption Types and GSS-API Mechanisms |
Vintela Single Sign-on for Java's Java Kerberos library supports DES, TripleDES and RC4® at both Kerberos and GSS-API levels,
and supports both regular or user-to-service and user-to-user GSS-API mechanisms. |
How Do I Download the Java Kerberos Library?
Download and unpack the Vintela Single Sign-on for Java zip distribution. The Kerberos Library jars are located in the lib directory. You will find a guide to the library in the jcsi/apidocs directory. Simply open index.html in your browser.
How Do I Install the Java Kerberos Library?
Once you have unpacked the Vintela Single Sign-on for Java distribution, add the jars to your CLASSPATH variable.
On Microsoft Windows, do the following: set CLASSPATH=C:\Program Files\Quest Software\VSJ\lib\jcsi_license.jar
set CLASSPATH=%CLASSPATH%;C:\Program Files\Quest Software\VSJ\lib\jcsi_base.jar
set CLASSPATH=%CLASSPATH%;C:\Program Files\Quest Software\VSJ\lib\jcsi_jce.jar
set CLASSPATH=%CLASSPATH%;C:\Program Files\Quest Software\VSJ\lib\jcsi_krb_provider.jar
set CLASSPATH=%CLASSPATH%;C:\Program Files\Quest Software\VSJ\lib\jcsi_krb.jar
set CLASSPATH=%CLASSPATH%;C:\Program Files\Quest Software\VSJ\lib\jcsi_krb_jaas.jar
set CLASSPATH=%CLASSPATH%;C:\Program Files\Quest Software\VSJ\lib\commons-logging-1.0.3.jar
On Microsoft Windows you will also need to add the native winSSPI.dll to your java comand line. Doing this allows direct integration into the Windows Integrated Authentication mechanism: C:\> java "-Djava.library.path=C:\Program Files\Quest Software\VSJ\lib"
your.class.here
On Unix or Linux you do not require the the winSSPI.dll. All you need to do is set the CLASSPATH as follows : CLASSPATH="/opt/vsj/lib/jcsi_license.jar"
CLASSPATH="${CLASSPATH}:/opt/vsj/lib/jcsi_base.jar"
CLASSPATH="${CLASSPATH}:/opt/vsj/lib/jcsi_jce.jar"
CLASSPATH="${CLASSPATH}:/opt/vsj/lib/jcsi_krb_provider.jar"
CLASSPATH="${CLASSPATH}:/opt/vsj/lib/jcsi_krb.jar"
CLASSPATH="${CLASSPATH}:/opt/vsj/lib/jcsi_krb_jaas.jar"
CLASSPATH="${CLASSPATH}:/opt/vsj/lib/commons-logging-1.0.3.jar"
export CLASSPATH java your.class.here
|