Postdatable Kerberos tickets in Java

Question

I need a postdatable Kerberos ticket in my Java application. But I did not find any method in the GSSContext interface. Does Java not support this Kerberos feature?

The purpose is as follows: In our application, users can set up a batch that will run some time in the future. And the application server will have to use a delegated ticket that is valid at execution time of teh batch, when the original ticket may have expired.

EDIT: To clarify my first statement: I found that GSSContext, GSSContextImpl as well as the GSSContextImpl do not give access to the setAuthTime() method which is only available in Krb5Context. Without having dug into all details, it seems the postdated authentication would only be possible with some direct access to undocumented classes.

As there seem to be additional problems in getting a client browser to send a ticket with the correct flags set - as @Michael-O pointed out -, I think I will have to find another solution, maybe just asking the user for username and password, saving them encrypted with the batch, and then just requesting a new ticket at batch start time.

The concept of postdated tickets sounds appropriate for my problem, but there seems to be a lack of practical use, resulting in it not being well supported by existing environments.

Answer 1

Besides my comment:

Frank, did you actually read chapter 2.4 of the RFC4120?. The TGT from the client must have the initial flag MAY-POSTDATE. Please check that first. Yes, Java GSS supports that but I haven't tried that myself. See this search.

Frank, there is a solution to your problem. Just came to me yesterday. I have answered this already. It may be a bit of work to backport this code but it is worth it.

See Generating AD Kerberos tickets without user password.