warp方法把要传递的明文消息封装到token中,因此保障了消息的完整性。作为可选项,消息可以被加密,通过制定一个properties对象。Wrap方法产生一个不透明的token并传送到对等实体端。Token传递到unwrap方法中,并被还原成明文。
CredentialDelegation
Java GSS-API允许客户端安全地请求服务器作为代理,这种情况下服务器就可以用客户端的身份初始化一个安全环境,如下图:
客户端在第一次调用initSecContext方法之前请求服务器作为代理:
voidGSSContext.requestCredDeleg(boolean state)
throws GSSException
在安全环境确立之后,服务器接收到客户端的代理请求:
GSSCredential GSSContext.getDelegCred()throws GSSException
此时服务器可以传递GSSCredential到GSSManager.createContext()方法中��扮客户端。
在kerberosv5安全机制下,代理credential是一个由第一次发送的token封装的forwardedTGT。使用这个TGT,服务器可以以客户端的身份获得其他任何服务的service ticket。
总结
Kerberos是一种安全并且高效的认证机制,使用Kerberos对分布式计算平台做安全认证,是个不错的选择。JAAS的可插卸式以及可堆叠的安全认证方式,以及Java GSS-API的实现,是把Kerberos从简单的使用到编程融入实际运行环境的有力助手。
参考文献
1. Neuman, Clifford and Tso, Theodore (1994).Kerberos: An Authentication Service for Computer Networks, IEEE Communications,volume 39 pages 33-38
2. J.Kohl and C.Neuman. The Kerberos NetworkAuthentication Service (V5) Internet Engineering Task Force, September 1993Request for Comments 1510
3. V. Samar and C. Lai. Making Login ServicesIndependent from Authentication Technologies. In Proceedings of the SunSoftDeveloper's Conference, March 1996.
4. X/Open Single Sign-On Service (XSSO) -Pluggable Authentication. Preliminary Specification P702, The Open Group, June1997.
6. J. Linn. Generic Security ServiceApplication Program Interface,Version 2. Internet Engineering Task Force,January 2000 Request for Comments 2743
7. J. Linn. The Kerberos Version 5 GSS-APIMechanism. Internet Engineering Task Force, June 1996 Request for Comments 1964
8. C.Adams. The Simple Public-Key GSS-APIMechanism (SPKM). Internet Engineering Task Force, October 1996 Request forComments 2025
9. J. Kabat and M.Upadhyay. Generic SecurityService API Version 2: Java Bindings. Internet Engineering Task Force, January1997 Request for Comments 2853
10. JavaTM 2 Platform, Standard Edition, v1.4 API Specification.