Kerberos example not available in product

This commit is contained in:
mposolda 2016-06-06 11:51:14 +02:00
parent 306ed24ad4
commit 1d47bb5af2

View file

@ -154,19 +154,34 @@ This is enabled in the `Mappers` tab of the application's
client page. See <<fake/../../clients/protocol-mappers.adoc#_protocol-mappers, Protocol Mappers>> chapter for more details.
Applications will need to deserialize the claim it receives from {{book.project.name}} before it can use it to make GSS calls against other services.
We have an example, that shows this in detail.
It's in `examples/kerberos` in the {{book.project.name}} example distribution or demo distribution download.
You can also check the example sources directly https://github.com/keycloak/keycloak/blob/master/examples/kerberos[here] .
Once you deserialize the credential from the access token to the GSSCredential object, the GSSContext will need to be created with this credential
passed to the method `GSSManager.createContext` for example like this:
[source]
----
// Obtain accessToken in your application.
KeycloakPrincipal keycloakPrincipal = (KeycloakPrincipal) servletReq.getUserPrincipal();
AccessToken accessToken = keycloakPrincipal.getKeycloakSecurityContext().getToken();
// Retrieve kerberos credential from accessToken and deserialize it
String serializedGssCredential = (String) accessToken.getOtherClaims().
get(org.keycloak.common.constants.KerberosConstants.GSS_DELEGATION_CREDENTIAL);
GSSCredential deserializedGssCredential = org.keycloak.common.util.KerberosSerializationUtils.
deserializeCredential(serializedGssCredential);
// Create GSSContext to call other kerberos-secured services
GSSContext context = gssManager.createContext(serviceName, krb5Oid,
deserializedGssCredFromKeycloakAccessToken, GSSContext.DEFAULT_LIFETIME);
deserializedGssCredential, GSSContext.DEFAULT_LIFETIME);
----
{% if book.community %}
We have an example, that shows this in detail.
It's in `examples/kerberos` in the {{book.project.name}} example distribution or demo distribution download.
You can also check the example sources directly https://github.com/keycloak/keycloak/blob/master/examples/kerberos[here] .
{% endif %}
Note that you also need to configure `forwardable` kerberos tickets in `krb5.conf` file and add support for delegated credentials to your browser.
WARNING: Credential delegation has some security implications so only use it if you really need it.