Home > OS >  How to achieve Parallel Authentication using Kerberos?
How to achieve Parallel Authentication using Kerberos?

Time:12-18

I have a requirement to make multiple independent micro service calls in parallel in Spring Boot (Java) in order to address the performance issue in making sequential calls and these micro services are authenticated using Kerberos.

When I initially tried to make these calls as parallel, I understood that the Kerberos Ticket and the Token will be invalidated when initiating the parallel request as the previous ticket will no longer be valid, but I would like to listen from other experts here if there's any other way that we can achieve this.

CodePudding user response:

Maybe you can cache the ticket and the token on Kerberos' server-side.

CodePudding user response:

When I initially tried to make these calls as parallel, I understood that the Kerberos Ticket and the Token will be invalidated when initiating the parallel request as the previous ticket will no longer be valid, but I would like to listen from other experts here if there's any other way that we can achieve this.

No, the ticket is multiple-use and never invalidated (until it reaches the ~10h expiry) – you can see in klist that the same ticket stays around across multiple runs. Only the token built out of a ticket verifier is single-use, but the application can freely create as many tokens from a single cached ticket as it wants.

When using e.g. HTTP, normally you (or the HTTP client library) would call the GSSAPI or Kerberos library to start a new "security context" and get a new token immediately before every HTTP request. It's fine to start multiple GSSAPI contexts and get multiple tokens in parallel; the GSSAPI/Kerberos library will take care of acquiring and caching the service ticket.

  • Related