Posts Kerberos keytab part-6
Post
Cancel

Kerberos keytab part-6

  • Configuring java servlet for kerberos authentication

Domain Name : dummydomain

Service Account Name : myserviceaccount

Service Account Password : afk1K2##$#dlkajsf

SPNEGO SourceForge project

Download the jar from above site and add it to your local nexus or project

Download

  • Copy krb5_min.conf to server

Example path : /home/system/krb5_min.conf

1
2
[libdefaults]
default_realm = dummydomain
  • Copy login.conf to server

Example path : /home/system/login.conf

1
2
3
4
5
6
7
8
9
spnego-client {
	com.sun.security.auth.module.Krb5LoginModule required;
};

spnego-server {
	com.sun.security.auth.module.Krb5LoginModule required
	storeKey=true
	isInitiator=false;
};
  • Add code to a servlet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
private static SpnegoAuthenticator spnegoHttpAuthenticator = null;

static {
    if (spnegoHttpAuthenticator == null) {
        final Map<String, String> map = new HashMap<>();
        map.put("spnego.krb5.conf", "/home/system/krb5_min.conf");
        map.put("spnego.login.conf", "/home/system/login.conf");
        map.put(SpnegoHttpFilter.Constants.ALLOW_BASIC, "true"); // this allows Authentication to drop down to username and password box incase of kerberos failure
        map.put("spnego.allow.localhost", isApplictionRunningOnLocalHost() ? "true" : "false"); // not really required, use this if you want to enable kerberos on localhost
        map.put("spnego.exclude.dirs", "");
        map.put("spnego.preauth.username", "dummydomain\myserviceaccount");
        map.put("spnego.preauth.password", "afk1K2##$#dlkajsf");
        map.put("spnego.login.client.module", "spnego-client");
        map.put("spnego.login.server.module", "spnego-server");
        map.put("spnego.prompt.ntlm", "true");
        map.put("spnego.allow.delegation", "true");
        map.put("spnego.allow.unsecure.basic", "true"); // allow only if you want to authenticate using HTTP and HTTPS, else set to "false" for HTTPS 
        map.put("spnego.logger.level", "1");
        
        spnegoHttpAuthenticator = new SpnegoAuthenticator(map);
    }
}

private static boolean isApplictionRunningOnLocalHost(){
    return  //logic to use current host name to identify if it is localhost or not
}
1
2
3
private String getDomainAndUserNameOfLoggedInUser(){
    return spnegoHttpAuthenticator.authenticate(httpRequest, httpResponse).getName();
}
  • Call the above getDomainAndUserNameOfLoggedInUser() method on Servlet HTTP ‘GET’ or other methods

Method will return dummydomain@UserName of user who is trying to connect, which can be checked against entitlements.

This post is licensed under CC BY 4.0 by the author.