Is there a way in Java to query Active Directory for a users attributes given an existing javax.security.auth.kerberos.KerberosTicket that was forwarded to my code? I know I want to use Ldap to do the search but I am confused on how to use this KerberosTicket object to Bind to ldap. Currently I am using Spring-Ldap and Spring-Security to communicate with Active Directory and using simple authenticate credentials I can Bind a username and password to authenticate my user and retrieve all my attributes, roles, etc. However in the case when I am passed a KerberosTicket from that Active Directory server I do now know how to Bind myself because I don't know the password for this user. I am currently not calling login() from a LoginContext to get my KerberosTicket its been forwarded to my code as an encrypted java object.
在给定转发到我的代码的现有javax.security.auth.kerberos.KerberosTicket的情况下,Java中是否有一种方法可以查询Active Directory的用户属性?我知道我想使用Ldap进行搜索,但我对如何使用此KerberosTicket对象绑定到ldap感到困惑。目前我使用Spring-Ldap和Spring-Security与Active Directory进行通信并使用简单的身份验证凭据我可以绑定用户名和密码来验证我的用户并检索我的所有属性,角色等。但是在我通过的情况下来自该Active Directory服务器的KerberosTicket我现在知道如何绑定自己,因为我不知道该用户的密码。我目前没有从LoginContext调用login()来获取我的KerberosTicket作为加密的java对象转发到我的代码。
1 个解决方案
#1
In your LDAP connection environment, set Context.SECURITY_AUTHENTICATION to "GSSAPI". Then create the InitialLdapContext inside a privileged action:
在LDAP连接环境中,将Context.SECURITY_AUTHENTICATION设置为“GSSAPI”。然后在特权操作中创建InitialLdapContext:
InitialLdapContext context; Subject.doAs(subject, new PrivilegedAction() { public Object run() { context = new InitialLdapContext(env, null); } };
InitialLdapContext上下文; Subject.doAs(subject,new PrivilegedAction(){public Object run(){context = new InitialLdapContext(env,null);}};
You get the subject variable by calling getSubject() on your LoginContext. env is the environment. You will have to catch a NamingException somehow. Notice that to make this work on newer Windows versions, you have to set a Registry entry, see http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html (search for registry).
通过在LoginContext上调用getSubject()来获取主题变量。环境就是环境。你必须以某种方式捕获NamingException。请注意,要使其在较新的Windows版本上运行,您必须设置一个注册表项,请参阅http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html(搜索注册表)。
#1
In your LDAP connection environment, set Context.SECURITY_AUTHENTICATION to "GSSAPI". Then create the InitialLdapContext inside a privileged action:
在LDAP连接环境中,将Context.SECURITY_AUTHENTICATION设置为“GSSAPI”。然后在特权操作中创建InitialLdapContext:
InitialLdapContext context; Subject.doAs(subject, new PrivilegedAction() { public Object run() { context = new InitialLdapContext(env, null); } };
InitialLdapContext上下文; Subject.doAs(subject,new PrivilegedAction(){public Object run(){context = new InitialLdapContext(env,null);}};
You get the subject variable by calling getSubject() on your LoginContext. env is the environment. You will have to catch a NamingException somehow. Notice that to make this work on newer Windows versions, you have to set a Registry entry, see http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html (search for registry).
通过在LoginContext上调用getSubject()来获取主题变量。环境就是环境。你必须以某种方式捕获NamingException。请注意,要使其在较新的Windows版本上运行,您必须设置一个注册表项,请参阅http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html(搜索注册表)。