-
Bug
-
Resolution: Fixed
-
P4
-
1.4.2
-
None
-
tiger
-
generic
-
generic
In a distributed service environment, an entity is often both a client
and a server, and long running. Though the current
javax.security.auth.kerberos.KerberosTicket supports a refresh method
to renew TGTs, it seems nice and logical to also support TGT renewal
in Kerberos login module through an option. This will enable service
deployer to specify how long a TGT should be renewed in the login
configuration file, and the client application can then be coded in a
generic way without worrying any Kerberos specific details, such as
TGT renews. If the login module cannot successfully renew the TGT to
the configured time limit, it can either report the problem or prompt
the user for his/her password to get a new TGT, and replace the
content of the corresponding KerberosTicket instance with the new TGT.
For long running services, in general it is not practical to ask users
to renew TGTs. Another problem is that even if a user renews his TGT
(TicketCache) using kinit, currently he cannot populate the current
subject with it without restart the service.
Possible solution: add the following new options
renewTGT - true/false, false by default
renewTGTUntil - absolute deadline, won't renew after deadline passed
renewTGTFor - relative time, for example, number of seconds
"renewTGT=true" requires ticketCache presents and doNotPrompt=true
###@###.### 2003-03-25
and a server, and long running. Though the current
javax.security.auth.kerberos.KerberosTicket supports a refresh method
to renew TGTs, it seems nice and logical to also support TGT renewal
in Kerberos login module through an option. This will enable service
deployer to specify how long a TGT should be renewed in the login
configuration file, and the client application can then be coded in a
generic way without worrying any Kerberos specific details, such as
TGT renews. If the login module cannot successfully renew the TGT to
the configured time limit, it can either report the problem or prompt
the user for his/her password to get a new TGT, and replace the
content of the corresponding KerberosTicket instance with the new TGT.
For long running services, in general it is not practical to ask users
to renew TGTs. Another problem is that even if a user renews his TGT
(TicketCache) using kinit, currently he cannot populate the current
subject with it without restart the service.
Possible solution: add the following new options
renewTGT - true/false, false by default
renewTGTUntil - absolute deadline, won't renew after deadline passed
renewTGTFor - relative time, for example, number of seconds
"renewTGT=true" requires ticketCache presents and doNotPrompt=true
###@###.### 2003-03-25
- relates to
-
-
- Closed
-