<div dir="ltr">Hi everyone, <div><br></div><div>I've been playing with smart cards and faced some issues. </div><div style>Long story short:</div><div style><br></div><div><div><p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:14px;vertical-align:baseline;clear:both;word-wrap:break-word;color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">
<strong style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">Prerequisites</strong>:</p><ul style="margin:0px 0px 1em 30px;padding:0px;border:0px;font-size:14px;vertical-align:baseline;list-style-position:initial;color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">
<li style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;word-wrap:break-word">I set up a basic <code style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:rgb(238,238,238);font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,serif">Kerberos</code> realm via <code style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:rgb(238,238,238);font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,serif">Windows Active Directory</code>.</li>
<li style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;word-wrap:break-word">I managed to successfully login into service via <em style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">login/password</em> pair using <code style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:rgb(238,238,238);font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,serif">Java Kerberos</code>(<code style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:rgb(238,238,238);font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,serif">Krb5LoginModule</code>), which is provided via <code style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:rgb(238,238,238);font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,serif">JAAS</code>.</li>
</ul><p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:14px;vertical-align:baseline;clear:both;word-wrap:break-word;color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">
Now I try to implement Kerberos login via smart card. Smart card preauthentication in Kerberos is done via <code style="margin:0px;padding:1px 5px;border:0px;vertical-align:baseline;background-color:rgb(238,238,238);font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,serif">AS-REQ/AS-REP</code> messages (<code style="margin:0px;padding:1px 5px;border:0px;vertical-align:baseline;background-color:rgb(238,238,238);font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,serif">PA-PK-AS-REQ/P</code> extensions). Unfortunately, JAAS Kerberos hasn't used the smartcard. As far as I have seen, there were no <span style="background-color:rgb(238,238,238);font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,serif">PA-PK-AS-REQ/P</span> extensions in openjdk sources. Maybe, I missed something.</p>
<p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:14px;vertical-align:baseline;clear:both;word-wrap:break-word;color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">
<strong style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent">Question</strong>: </p><p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:14px;vertical-align:baseline;clear:both;word-wrap:break-word;color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">
1. Does Java Kerberos support smart card preauthentication out of the box?</p><p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:14px;vertical-align:baseline;clear:both;word-wrap:break-word;color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">
2. If it doesn't, can I somehow extends existing Kerberos module or should I implement whole Kerberos from the ground up?</p><p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:14px;vertical-align:baseline;clear:both;word-wrap:break-word;color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">
<span style="font-family:arial;font-size:small;line-height:normal;color:rgb(34,34,34)"><br></span></p><p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:14px;vertical-align:baseline;clear:both;word-wrap:break-word;color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">
<span style="font-family:arial;font-size:small;line-height:normal;color:rgb(34,34,34)">Thanks in advance,<br></span><span style="color:rgb(34,34,34);font-family:arial;font-size:small;line-height:normal">Ostap Andrusiv</span></p>
</div><div dir="ltr"><div><br>web: <a href="http://andrusiv.com" target="_blank">http://andrusiv.com</a></div><div>skype: <a>ostap.andrusiv</a></div><div>::p!F</div></div>
</div></div>