1. Security Guide
  2. Kerberos Authentication Service
  3. JAAS programming framework integration

JAAS programming framework integration

Oracle NoSQL Database allows client applications to integrate with programs using ​the Java Authentication and Authorization Service (JAAS) programming framework.

Use the oracle.kv.jaas.login.conf.entryName security property to specify the JAAS login configuration.

Note:

If a JAAS login configuration file is set, you cannot specify keytab or credential cache in security properties.

A login configuration file would then contain content like this: 

oraclenosql {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab=test.keytab
   storeKey=true
   principal=krbuser
   doNotPrompt=false;
};

where oraclenosql is the value for oracle.kv.jaas.login.conf.entryName. This configuration file can be used for Kerberos login.

In the following example, assume the client application has already obtained the Kerberos credentials for user krbuser before it tries to connect to Oracle NoSQL Database. You do not have to specify security properties in the login file. You can specify the credentials using the Subject.doAs method: 

final LoginContext lc =
    new LoginContext("oraclenosql", new TextCallbackHandler());

// Attempt authentication
lc.login();

// Get the authenticated Subject
final Subject subj = lc.getSubject();

// Specify configuration
final KVStoreConfig kvConfig =
    new KVStoreConfig("mystore", "nosql1:5000");

// Set security properties SSL needed
final Properties securityProps = new Properties();
securityProps.setProperty(KVSecurityConstants.TRANSPORT_PROPERTY,
                          KVSecurityConstants.SSL_TRANSPORT_NAME);
securityProps.setProperty(
                 KVSecurityConstants.SSL_TRUSTSTORE_FILE_PROPERTY,
                 trustStore);
kvConfig.setSecurityProperties(securityProps);

// Set Kerberos properties
final Properties krbProperties = new Properties();

// Set service principal associated with helper host
krbProperties.setProperty(KVSecurityConstants.AUTH_KRB_SERVICES_PROPERTY,
                          hostName + ":" + servicePrincipal);

// Set default realm name, because the short name
// for user principal is used.
krbProperties.setProperty(KVSecurityConstants.AUTH_KRB_REALM_PROPERTY,
                          "EXAMPLE.COM");

// Specify Kerberos principal
final KerberosCredentials krbCreds =
    new KerberosCredentials("krbuser", krbProperties);

// Get store using credentials in subject
KVStore kvstore = Subject.doAs(
    subj, new PrivilegedExceptionAction<KVStore>() {
        @Override
        public KVStore run() throws Exception {
            return KVStoreFactory.getStore(kvConfig, krbCreds, null);
        }
    });

In this case, a KerberosCredentials instance is used to set the security properties needed to retrieve the credentials of the specified user principal from KDC.