ServerEndpointthat use Kerberos as the underlying network security protocol to support security related invocation constraints for remote requests. The
ServerEndpointabstraction is implemented by the
KerberosServerEndpoint, while the client side
Endpointabstraction is implemented by the
This class uses the Jini extensible remote invocation (Jini ERI) multiplexing protocol to map outgoing requests to the underlying secure connection streams.
The secure connection streams in this provider are implemented using the Kerberos Version 5 GSS-API Mechanism, defined in RFC 1964, over socket connections between client and server endpoints.
Note that, because Kerberos inherently requires client authentication,
this transport provider does not support distributed garbage collection
(DGC); if DGC is enabled using
all DGC remote calls through this provider will silently fail.
The endpoint classes in this package support at least the following
ConnectionRelativeTime, trivially on the server side, since this only takes effect on the client side
ClientMaxPrincipal, when it contains at least one
ClientMaxPrincipalType, when it contains the
ClientMinPrincipal, when it contains exactly one
ClientMinPrincipalType, when it contains only the
ServerMinPrincipal, when it contains exactly one
ConstraintAlternatives, if the elements all have the same actual class and at least one element is supported
org.ietf.jgsspackage. An Introduction to JAAS and Java GSS-API Tutorial is also available.
A Kerberos login module can be
used to populate a
KerberosPrincipals and credentials
KerberosKeys). Note that by default the
login module only stores a Ticket Granting Tickets (TGT), not the
Kerberos key of the principal in the subject after a successful login.
KerberosServerEndpoint instance requires the Kerberos
key of its server principal to be present in the subject, while a
KerberosEndpoint instance only needs the TGT. For this
storeKey=true has to be set as an option in the
login module configuration on the server side.
This provider does not automatically renew any TGTs in the
Subject used by a
assumption is that the endpoint should merely be a consumer of the
principals and credentials of the
Subject, and never
change its content. But if new TGTs are added into the
Subject or old TGTs in the
renewed by means outside this provider, the endpoint will pick up and
use these new TGTs for new requests after the old ones expire.
Due to security concerns, this implementation sometimes only throws an
exception revealing the specific cause of a problem if the caller is
otherwise it throws a generic exception that enumerates possible
The endpoint classes use the following
Logger instances to log information at the
| ||failure to register with discovery provider|
| || problem to support constraint requirements, connect to
server through socket, establish |
| ||exceptions caught attempting to set TCP no delay or keep alive properties on sockets, connect a socket, or reuse a connection|
| || endpoint creation, |
| || data message encoding/decoding using
| || unexpected failure while accepting connections on the created
| || problems with permission checking, server principal and
Kerberos key presence checking, |
| ||failure to set TCP no delay or keep alive properties on sockets|
| || server endpoint creation, |
| || data message encoding/decoding using
KDC and realm configuration:
As described in the
javax.security.auth.kerberos package, a
user can provide the default realm and default Key Distribution Center
(KDC) host using the system properties
java.security.krb5.kdc. Alternatively, he/she can
provide an MIT style configuration file:
<java-home> is the directory where J2SE is
installed. If the file is placed elsewhere, the system property
java.security.krb5.conf can be used to specify its
location. A more detailed description of the searching scheme for
krb5.conf can be found at here.
System properties supported by this provider
The client endpoints of this provider recognize the following system property:
GSSContextof an existing connection has to have before it can be considered as a candidate connection to be chosen for a new request. The default is 30.
GSSContextinitialization handshake. This system property controls the maximum number of retries a
KerberosEndpointwill conduct. The default is 3.
Copyright 2007-2013, multiple authors.
Licensed under the Apache License, Version 2.0, see the NOTICE file for attributions.