Kerberos in J2EE Application
843811Apr 21 2004 — edited Mar 15 2005I have read through the JGSS examples and run it perfectly.My question is as flowing:
1.When GSSContext is established between GSS client and GSS Server,message can be sent upon the security context and the message is integrity protected. It is Ok. But how about method invocation? I mean that how to protect the method invocation from the GSSClient to the GSSServer using the established GSSContext.
2.In J2EE environment with Kerberos, we should take the Web Application as the GSSClient and other external kerberized service as the GSSServer.That is when client browser access the web application,UID and Password are sent to the Web Application over SSL and the Web Application get TGT from KDC.Then Web Aplication retrieve Service Ticket for the external kerberized service from the KDC and thus the GSSContext is built between the Web Application and the external kerberized service.This is what I think about kerberos in J2EE Application. Is it right? If it is right, how can I cache the TGT(Credential ) in such scenario when so many different brower client access the Web Application?
Your help will be greatly appreciated.Thanks!