Generating a dynamic Kerberos token using a stacked JAAS login module

You can dynamically pass a username and password to the Kerberos token generator, KRBGenerateLoginModule, when using WSSAPIs. However, if you must use policy sets and bindings, you cannot dynamically pass a username and password to the Kerberos token generator in a standard configuration because both the callback handler and the username and password in the callback handler are fixed values. Dynamic Kerberos tokens can be created using policy sets and bindings if a custom JAAS login module is used.

Before you begin

If you create a custom JAAS login module or add a UsernameToken to the client's request context, you can customize the username and password that the Kerberos token generator uses when requesting the Kerberos ticket.

About this task

The GenericSecurityTokenFactory provides a SPI that you can use to create a token that KRBGenerateLoginModule can use to customize the username and password that is used when requesting the Kerberos ticket.

The following procedure shows how to use the stacked JAAS login module method to customize the username and password that KRBGenerateLoginModule will use when creating a Kerberos token. You can accomplish the same results by placing the UsernameToken, that is created in this procedure, on the client's request context. You can only create a dynamic Kerberos token from a UsernameToken that you create. You cannot create a dynamic Kerberos token from a Kerberos ticket. For more information on how to place the token on the client's request context. refer to the following constants in com.ibm.wsspi.wssecurity.core.Constants:

• com.ibm.wsspi.wssecurity.token.tokenHolder
• com.ibm.wsspi.wssecurity.token.enableCaptureTokenContext

1. Create a custom JAAS login module.

   package test.tokens;
   
   import com.ibm.websphere.wssecurity.wssapi.token.GenericSecurityTokenFactory;
   import java.util.Map;
   
   import javax.security.auth.Subject;
   import javax.security.auth.callback.CallbackHandler;
   import javax.security.auth.login.LoginException;
   import javax.security.auth.spi.LoginModule;
   import com.ibm.websphere.wssecurity.wssapi.token.UsernameToken;
   
   
   public class MyKrbCustomLoginModule implements LoginModule {
     //For the sake of readability, this login module does not
     //protect against all NPE's
   
     private Map _sharedState;
     private Map _options;
     private CallbackHandler _handler;
   
     public void initialize(Subject subject, CallbackHandler callbackHandler,
                 Map<String, ?> sharedState, Map<String, ?> options) {
   
       this._handler = callbackHandler;
       this._sharedState = sharedState;
       this._options = options;  
     }
   
     public boolean login() throws LoginException {
   
       GenericSecurityTokenFactory factory = null;
       try {
         factory = GenericSecurityTokenFactory.getInstance();
       } catch (Exception e) {
         throw new LoginException(e.toString());
       }
   
       UsernameToken unt = factory.getSimpleUsernameToken("username", "password".toCharArray());
   
       factory.putGeneratorTokenToSharedState(this._sharedState, unt);
   
       return true;
     }
     //implement the rest of the methods required by the
     //LoginModule interface
   }

2. Create a new JAAS login configuration.
   1. In the administrative console, select Security->Global security.
   2. Under Authentication, select Java Authentication and Authorization Service.
   3. Select System logins.
   4. Create the generator with the custom module first.
      1. Click New, and then specify Alias = test.generate.krb.
      2. Click New, and then specifyModule class name = test.tokens.MyKrbCustomLoginModule.
      3. Select Use login module proxy .
      4. Click OK.
      5. Click New, and then select Module class name = com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule.
      6. Click New, and then select Module class name = com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule.
      7. Click OK.
      8. Click JAAS - System logins.
3. Configure your Kerberos token generator to use the new JAAS configuration.
   1. Open your bindings configuration that you want to change.

      In the administrative console, select WS-Security > Authentication and protection.

   2. Under Authentication tokens, select the Kerberos outbound Token that you want to change.
   3. Select JAAS login = test.generate.krb.
4. Click Save.
5. Restart the application server to apply the JAAS configuration changes.
6. Test your service.