javaclasspathkerberosjaaskeytab

Is it possible to reference a keytab from the classpath in jaas.conf?

Is it possible to reference a keytab from the classpath in jaas.conf?

I have tried the below, but nothing seems to work:

Client{
keyTab=classpath: /mykeytab.keytab
}

Client{
keyTab=file: /mykeytab.keytab
}

Client{
keyTab=file: resources/mykeytab.keytab
}
Solution

  • As far as I know, it is not possible to use anything but an absolute path to a keytab in the jaas.conf file.

    In the Krb5LoginModule.java, one sees (from, e.g., Krb5LoginModule.java at github.com)

    if (useKeyTab) {
  ktab = (keyTabName == null)
           ? KeyTab.getInstance()
           : KeyTab.getInstance(new File(keyTabName));

    And the .getInstance() code will use the .getPath() on the instantiated File object (see KeyTab.java).

    Consequently, there is nothing in the basic approach that will search the classpath. Also, see this question here about keytab configuration as well.

    That said, and not shown in the OP's configuration file, it is possible to change the class from the usual "com.sun.security.authmodule.Krb5LoginModule" to a custom module. In this custom module, one can then do things such as setting entries in the Map<String,?> parameter that is used in the initialize method of the Krb5LoginModule.

    We have implemented such an approach to allow the various settings to be defined in our client application rather than trying to have our users edit a jaas.conf file on the client. So, we use a custom module that uses a Composition approach encapsulating a Krb5LoginModule, but sets all of the desired options into theMap`.

    It is something like:

    Map<String, String> mOpts = new HashMap<>(); // options

mOpts.put("doNotPrompt", Boolean.TRUE.toString());
mOpts.put("useTicketCache", Boolean.FALSE.toString());
mOpts.put("useKeyTab", Boolean.TRUE.toString());
mOpts.put("keyTab", options.getKeytabPath().toString());
mOpts.put("principal", PrincipalUtils.getDefaultPrincipal().getName());

krb5LM.initialize(_subject, options.getCallbackHandler(), mSS, mOpts);

//
// attempt to authenticate the user
//
krb5LM.login();

    It is possible to search the classpath for a desired filename and then pass the found file to the Map. In the quasi-example above, the options object has pulled the keytab from the user's preferences and validated it. But rather than having a specific pre-browsed file, one could implement a search of the classpath.