JAAS programming framework integration
Oracle NoSQL Database allows client applications to integrate with programs using the Java Authentication and Authorization Service (JAAS) programming framework.
Use the oracle.kv.jaas.login.conf.entryName
security property to specify the JAAS login configuration.
Note:
If a JAAS login configuration file is set, you cannot specify keytab or credential cache in security properties.
A login configuration file would then contain content like this:
oraclenosql {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab=test.keytab
storeKey=true
principal=krbuser
doNotPrompt=false;
};
where oraclenosql
is the value for oracle.kv.jaas.login.conf.entryName
. This configuration file can be used for Kerberos login.
In the following example, assume the client application has already obtained the Kerberos credentials for user krbuser
before it tries to connect to Oracle NoSQL Database. You do not have to specify security properties in the login file. You can specify the credentials using the Subject.doAs
method:
final LoginContext lc =
new LoginContext("oraclenosql", new TextCallbackHandler());
// Attempt authentication
lc.login();
// Get the authenticated Subject
final Subject subj = lc.getSubject();
// Specify configuration
final KVStoreConfig kvConfig =
new KVStoreConfig("mystore", "nosql1:5000");
// Set security properties SSL needed
final Properties securityProps = new Properties();
securityProps.setProperty(KVSecurityConstants.TRANSPORT_PROPERTY,
KVSecurityConstants.SSL_TRANSPORT_NAME);
securityProps.setProperty(
KVSecurityConstants.SSL_TRUSTSTORE_FILE_PROPERTY,
trustStore);
kvConfig.setSecurityProperties(securityProps);
// Set Kerberos properties
final Properties krbProperties = new Properties();
// Set service principal associated with helper host
krbProperties.setProperty(KVSecurityConstants.AUTH_KRB_SERVICES_PROPERTY,
hostName + ":" + servicePrincipal);
// Set default realm name, because the short name
// for user principal is used.
krbProperties.setProperty(KVSecurityConstants.AUTH_KRB_REALM_PROPERTY,
"EXAMPLE.COM");
// Specify Kerberos principal
final KerberosCredentials krbCreds =
new KerberosCredentials("krbuser", krbProperties);
// Get store using credentials in subject
KVStore kvstore = Subject.doAs(
subj, new PrivilegedExceptionAction<KVStore>() {
@Override
public KVStore run() throws Exception {
return KVStoreFactory.getStore(kvConfig, krbCreds, null);
}
});
In this case, a KerberosCredentials instance is used to set the security properties needed to retrieve the credentials of the specified user principal from KDC.