- Configuring java servlet for kerberos authentication
Domain Name : dummydomain
Service Account Name : myserviceaccount
Service Account Password : afk1K2##$#dlkajsf
Download the jar from above site and add it to your local nexus or project
- Copy krb5_min.conf to server
Example path : /home/system/krb5_min.conf
1
2
[libdefaults]
default_realm = dummydomain
- Copy login.conf to server
Example path : /home/system/login.conf
1
2
3
4
5
6
7
8
9
spnego-client {
com.sun.security.auth.module.Krb5LoginModule required;
};
spnego-server {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
isInitiator=false;
};
- Add code to a servlet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
private static SpnegoAuthenticator spnegoHttpAuthenticator = null;
static {
if (spnegoHttpAuthenticator == null) {
final Map<String, String> map = new HashMap<>();
map.put("spnego.krb5.conf", "/home/system/krb5_min.conf");
map.put("spnego.login.conf", "/home/system/login.conf");
map.put(SpnegoHttpFilter.Constants.ALLOW_BASIC, "true"); // this allows Authentication to drop down to username and password box incase of kerberos failure
map.put("spnego.allow.localhost", isApplictionRunningOnLocalHost() ? "true" : "false"); // not really required, use this if you want to enable kerberos on localhost
map.put("spnego.exclude.dirs", "");
map.put("spnego.preauth.username", "dummydomain\myserviceaccount");
map.put("spnego.preauth.password", "afk1K2##$#dlkajsf");
map.put("spnego.login.client.module", "spnego-client");
map.put("spnego.login.server.module", "spnego-server");
map.put("spnego.prompt.ntlm", "true");
map.put("spnego.allow.delegation", "true");
map.put("spnego.allow.unsecure.basic", "true"); // allow only if you want to authenticate using HTTP and HTTPS, else set to "false" for HTTPS
map.put("spnego.logger.level", "1");
spnegoHttpAuthenticator = new SpnegoAuthenticator(map);
}
}
private static boolean isApplictionRunningOnLocalHost(){
return //logic to use current host name to identify if it is localhost or not
}
1
2
3
private String getDomainAndUserNameOfLoggedInUser(){
return spnegoHttpAuthenticator.authenticate(httpRequest, httpResponse).getName();
}
- Call the above getDomainAndUserNameOfLoggedInUser() method on Servlet HTTP ‘GET’ or other methods
Method will return dummydomain@UserName of user who is trying to connect, which can be checked against entitlements.