Examples of some configuration values for Krb5LoginModule in * JAAS config file and the results are: - *
+ * * * @author Ram Marti */ diff -r 1d2cb50c1492 -r 82a3005cb038 src/jdk.security.auth/share/classes/com/sun/security/auth/module/LdapLoginModule.java --- a/src/jdk.security.auth/share/classes/com/sun/security/auth/module/LdapLoginModule.java Fri Mar 02 11:43:19 2018 +0100 +++ b/src/jdk.security.auth/share/classes/com/sun/security/auth/module/LdapLoginModule.java Fri Mar 09 11:36:12 2018 +0800 @@ -92,7 +92,6 @@ * *- *
- + * is set and the user can not be prompted for the password. * - *
{@code + *+ *{@code * doNotPrompt = true}* This is an illegal combination since none of {@code useTicketCache, * useKeyTab, useFirstPass} and {@code tryFirstPass} - * is set and the user can not be prompted for the password.- + * will occur. * - *
{@code + *{@code * ticketCache =* This is an illegal combination since {@code useTicketCache} * is not set to true and the ticketCache is set. A configuration error - * will occur.} - + * not set to true and renewTGT is set. A configuration error will occur. * - *
{@code + *{@code * renewTGT = true}* This is an illegal combination since {@code useTicketCache} is - * not set to true and renewTGT is set. A configuration error will occur.- + * the keytab, or from the shared state. A configuration error will occur. * - *
{@code + *{@code * storeKey = true useTicketCache = true doNotPrompt = true}* This is an illegal combination since {@code storeKey} is set to * true but the key can not be obtained either by prompting the user or from - * the keytab, or from the shared state. A configuration error will occur.- + * the keyTab is set. A configuration error will occur. * - *
{@code + *{@code * keyTab =* This is an illegal combination since useKeyTab is not set to true and - * the keyTab is set. A configuration error will occur.doNotPrompt = true} - + * Output debug messages. * - *
{@code + *{@code * debug = true}* Prompt the user for the principal name and the password. * Use the authentication exchange to get TGT from the KDC and * populate the {@code Subject} with the principal and TGT. - * Output debug messages.- + * do not prompt the user, instead fail the authentication. * - *
{@code + *{@code * useTicketCache = true doNotPrompt = true}* Check the default cache for TGT and populate the {@code Subject} * with the principal and TGT. If the TGT is not available, - * do not prompt the user, instead fail the authentication.- + * authentication will fail. * - *
{@code + *{@code * principal =* Get the TGT from the default cache for the principal and populate the * Subject's principal and private creds set. If ticket cache is * not available or does not contain the principal's TGT - * authentication will fail.useTicketCache = true doNotPrompt = true} - + * If the key is not available or valid then authentication will fail. * - *
{@code + *{@code * useTicketCache = true * ticketCache =* useKeyTab = true @@ -297,9 +297,9 @@ * use the key in the keytab to perform authentication exchange with the * KDC and acquire the TGT. * The Subject will be populated with the principal and the TGT. - * If the key is not available or valid then authentication will fail. - + * The Subject will be populated with the TGT. * - *
{@code + *{@code * useTicketCache = true ticketCache =* The TGT will be obtained from the cache specified. * The Kerberos principal name used will be the principal name in @@ -307,17 +307,17 @@ * ticket cache the user will be prompted for the principal name * and the password. The TGT will be obtained using the authentication * exchange with the KDC. - * The Subject will be populated with the TGT.} - + * password entered. * - *
{@code + *{@code * useKeyTab = true keyTab=* The key for the principal will be retrieved from the keytab. * If the key is not available in the keytab the user will be prompted * for the principal's password. The Subject will be populated * with the principal's key either from the keytab or derived from the - * password entered.principal = storeKey = true} - + * Subject's private credentials set. Otherwise the authentication will fail. * - *
{@code + *{@code * useKeyTab = true keyTab =* The user will be prompted for the service principal name. * If the principal's @@ -325,14 +325,14 @@ * Subject's private credentials. An authentication exchange will be * attempted with the principal name and the key from the Keytab. * If successful the TGT will be added to the - * Subject's private credentials set. Otherwise the authentication will fail.storeKey = true doNotPrompt = false} - + * as long that principal has keys in the keytab. * - *
{@code + *{@code * isInitiator = false useKeyTab = true keyTab =* The acceptor will be an unbound acceptor and it can act as any principal - * as long that principal has keys in the keytab.storeKey = true principal = *} - + * Subject's private credentials set. * - *
{@code + *{@code * useTicketCache = true * ticketCache =* useKeyTab = true @@ -347,21 +347,21 @@ * This secret key will be first retrieved from the keytab. If the key * is not available, the user will be prompted for the password. In either * case, the key derived from the password will be added to the - * Subject's private credentials set. - + * For initiators, do not set this value to false. * - *
{@code + *{@code * isInitiator = false}* Configured to act as acceptor only, credentials are not acquired * via AS exchange. For acceptors only, set this value to false. - * For initiators, do not set this value to false.- + * option unset, in which case default value (true) will be used. * - *
{@code + *{@code * isInitiator = true}* Configured to act as initiator, credentials are acquired * via AS exchange. For initiators, set this value to true, or leave this - * option unset, in which case default value (true) will be used.
The following option is mandatory and must be specified in this * module's login {@link Configuration}: - *
userProvider=ldap_urls
* This module also recognizes the following optional {@link Configuration} * options: - *
userFilter=ldap_filter