The IBM® JGSS includes an optional JAAS login facility that allows the application to use JAAS to obtain credentials. After the JAAS login facility saves principal credentials and secret keys in the subject object of a JAAS login context, JGSS can retrieve the credentials from that subject.
The default behavior of JGSS is to retrieve credentials and secret keys from the subject. You can disable this feature by setting the Java™ property javax.security.auth.useSubjectCredsOnly to false.
Although the pure Java JGSS provider can use the login interface, the native System i5™ JGSS provider cannot.
For more information about JAAS features, see Obtaining Kerberos credentials and creating secret keys.
To use the JAAS login facility, your application must follow the JAAS programming model in the following ways:
The following code snippet illustrates the concept of operating within the confines of a JAAS Subject.doAs construction:
static class JGSSOperations implements PrivilegedExceptionAction { public JGSSOperations() {} public Object run () throws GSSException { // JGSS application code goes/runs here } } public static void main(String args[]) throws Exception { // Create a login context that will use the Kerberos // callback handler // com.ibm.security.auth.callback.Krb5CallbackHandler // There must be a JAAS configuration for "JGSSClient" LoginContext loginContext = new LoginContext("JGSSClient", new Krb5CallabackHandler()); loginContext.login(); // Run the entire JGSS application in JAAS privileged mode Subject.doAsPrivileged(loginContext.getSubject(), new JGSSOperations(), null); }
Related concepts
IBM JGSS application programming steps