My company uses Kerberos servers for Unix and Windows authentication. I want to set up CAS using Acegi and Spring for a single sign on service for all of my company's intranet applications. However, I can't find a clean "Spring Way" of telling Acegi's JaasAuthenticationProvider which Kerberos servers to use.

My problem is simple: I need to define two system properties in order for JaasAuthenticationProvider to use Kerberos (see http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/KerberosReq.html):



java.security.krb5.realm=xx.xx.com
java.security.krb5.kdc=yy.yy.com


My initial attempt (which just feels non-Springy) was to create a simple Java bean with two setters, setKrb5Realm() and setKrb5Kdc(), which internally calls java.lang.System.setProperties(). I do configure this bean in /WEB-INF/applicationContext.xml, but it seems like there should be a "Spring Way" to set system properties.

I tried using a technique to set system properties described in http://forum.springframework.org/showthread.php?t=11897, but it blows up Tomcat with a java.lang.NullPointerException coming from Catalina.

Has anyone else used Acegi and Kerberos in a Web application successfully? How do I set these two Kerberos system properties in /WEB-INF/applicationContext.xml? Am I all wrong in my approach?

Warmest regards, Matt

Heya Matt.
The JaasAuthenticationProvider really doesn't know anything about how your using Jaas. The code really just acts as a bridge between Acegi and Jaas.

You are definately on the right path when asking the, "How do I set system properties in Spring?" question. The JaasAuthenticationProvider has to do exactly what you're talking about in it's configuration. Take a look at JaasAuthenticationProvider in viewcvs (http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/core/src/main/java/net/sf/acegisecurity/providers/jaas/JaasAuthenticationProvider.java?rev=1.3&view=markup)

Take a look at the afterPropertiesSet method. There is no way in the JAAS api to tell the LoginContext class what login configuration file to load, so I set system properties. Just like you have no way to tell the Krb5LoginModule what realm or kdc to use.

You could write a bean you like you had mentioned before, with a setKrb5Realm and setKrb5Kdc methods that both just call their respect System.setProperty() methods. It's not the most elegant way, I would imagine there is a cleaner route (I just don't know it).

I looked over the other post you made about setting system properties. The problem there is your missing the static stuff, take another look at the java doc there. That route definately takes up a lot more space in your application xml.