I'm trying to use Jetty embedded server to expose my Rest API and now I'd like to implement Kerberos Authentication. This is how I create SecurityHandler
String domainRealm = "MY.COM";
Constraint constraint = new Constraint();
constraint.setName(Constraint.__SPNEGO_AUTH);
constraint.setRoles(new String[]{domainRealm});
constraint.setAuthenticate(true);
ConstraintMapping cm = new ConstraintMapping();
cm.setConstraint(constraint);
cm.setPathSpec("/*");
SpnegoLoginService loginService = new SpnegoLoginService();
loginService.setConfig("/path/to/spnego.properties");
loginService.setName(domainRealm);
ConstraintSecurityHandler sh = new ConstraintSecurityHandler();
sh.setAuthenticator(new SpnegoAuthenticator());
sh.setLoginService(loginService);
sh.setConstraintMappings(new ConstraintMapping[]{cm});
sh.setRealmName(domainRealm);
This is my spnego.properties:
targetName = HTTP/target.name.com
My krb5.ini:
[libdefaults]
default_realm = HW.COM
default_keytab_name = FILE:/path/to/target.name.com.keytab
permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5
default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5
default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5
[realms]
MY.COM= {
kdc = 12.13.14.222 #IP adress
admin_server = 12.13.14.222 # IP ADDRESS
default_domain = MY.COM
}
[domain_realm]
my.com= MY.COM
.my.com = MY.COM
[appdefaults]
autologin = true
forwardable = true
My spnego.conf:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/[email protected]"
keyTab="/path/to/target.name.com.keytab"
useKeyTab=true
storeKey=true
debug=true
isInitiator=false;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/[email protected]"
useKeyTab=true
keyTab="/path/to/target.name.com.keytab"
storeKey=true
debug=true
isInitiator=false;
};
System properties are set:
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
System.setProperty("java.security.auth.login.config", "/path/to/spnego.conf");
System.setProperty("java.security.krb5.conf", "/path/to/krb5.ini");
Unfortunately authentication does not work. I'm trying to debug SpnegoLoginService.login method and login fails because of
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
Do you have idea how to setup embedded Jetty server to work correctly with Kerberos authentication?
Thanks
The problem was in wrong keytab file
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With