Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-352

Cache Server Subject

    XMLWordPrintable

Details

    • Feature Request
    • Resolution: Unresolved
    • Major
    • Negotiation_2_1_7
    • None
    • Negotiation
    • None

    Description

      Each authentication process currently has 3 AS-REQ requests (6 if pre-auth is an issue)

      One request for each of the SPNEGO round trips and then one request for the LDAP search.

      Attempts to make use of a local ticket cache failed: -

      <!--
      <module-option name="useTicketCache">true</module-option>
      <module-option name="renewTGT">true</module-option>
      <module-option name="ticketCache">/home/darranl/src/negotiation-as/jboss-4.2.2.GA-AD/testserver.cache</module-option>
      -->

      As the keytab had not been read it meant that the requirements for storeKey were not met, this is needed for SPNEGO.

      <module-option name="storeKey">true</module-option>

      A mechanism to cache the server subject is needed.

      The expiration time of the ticket can be obtained to decide how long to cache the ticket for: -

      Set<Object> privateCredentials = serverSubject.getPrivateCredentials();
      for (Object current : privateCredentials)
      {
      if (current instanceof KerberosTicket)

      { KerberosTicket ticket = (KerberosTicket) current; System.out.println(ticket.getEndTime()); }

      }

      Attachments

        Issue Links

          is related to

          Task - Represents a small unit of work that is not end-user facing. SECURITY-347 The SPNEGOLoginModule currently calls logout on the server domain - is this required?

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Task - Represents a small unit of work that is not end-user facing. SECURITY-137 Authentication Cache aware of ticket expiration

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Open

          Activity

            People

              Unassigned Unassigned
              darran.lofthouse@redhat.com Darran Lofthouse
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated: