Class PacDataActiveDirectoryRealm

  • All Implemented Interfaces:
    MBeanRegistration, Contained, JmxEnabled, Lifecycle, Realm

    public class PacDataActiveDirectoryRealm
    extends ActiveDirectoryRealmBase
    A realm which decodes authorization data from already authenticated users from Active Directory via MS-PAC.

    This realm requires your JVM to provide an ExtendedGSSContext implementation. It will use InquireType.KRB5_GET_AUTHZ_DATA to extract AuthorizationData according to RFC 4120, section 5.2.6 from an established security context, and use the Pac parser to extract all relevant authorization data (group SIDs), validate the PAC data server signature with the PrivateSunPacSignatureVerifier and the supplied keytab (login context) and process the data according to MS-KILE, section 3.4.5.3.

    Configuration

    Following options can be configured:
    • loginEntryName: the login entry identical to the one from GSSAuthenticatorBase.getLoginEntryName().
    • prependRoleFormat: whether the role format is prepended to the role as {roleFormat}:{role}. Default is false.
    • addAdditionalAttributes: whether the following additional attributes with their LDAP name counterparts are added to the principal: sAMAccountName, displayName, userPrincipalName (if available), msDS-PrincipalName. Default is false.

    Note: This realm is meant to be an alternative to the ActiveDirectoryRealm when no more additional attributes or other role formats are required beyond those provided by the PAC data and SPNEGO authentication is used (X.509 authentication is not supported). Moreover, all processing happens in memory, for that reason it is orders of magnitude faster than the previously mentioned one.

    • Field Detail

      • loginEntryName

        protected String loginEntryName
      • prependRoleFormat

        protected boolean prependRoleFormat
      • addAdditionalAttributes

        protected boolean addAdditionalAttributes
    • Constructor Detail

      • PacDataActiveDirectoryRealm

        public PacDataActiveDirectoryRealm()
    • Method Detail

      • setLoginEntryName

        public void setLoginEntryName​(String loginEntryName)
        Sets the login entry name which establishes the security context.
        Parameters:
        loginEntryName - the login entry name
      • setPrependRoleFormat

        public void setPrependRoleFormat​(boolean prependRoleFormat)
        Sets whether the role format is prepended to the role.
        Parameters:
        prependRoleFormat - the prepend role format indication
      • setAddAdditionalAttributes

        public void setAddAdditionalAttributes​(boolean addAdditionalAttributes)
        Sets whether the additional attributes are added to the principal.
        Parameters:
        addAdditionalAttributes - the add additional attributes indication
      • getKeys

        protected Key[] getKeys()