Currently in my spring boot application.properties
file, I am specifying following lines to connect to MSSql server.
spring.datasource.url=jdbc:sqlserver://localhost;databaseName=springbootd
spring.datasource.username=sa
spring.datasource.password=Projects@123
Instead of giving username and password, I want to authenticate user using kerberos, what all changes I will have to make.
I tried searching in the JPA official documentation but could not find any. Leads here are appreciated.
To enable Kerberos for SQL Server we need to create Server Principal Names (SPNs) in Active Directory if they are not registered automatically. We have created (registered) SPNs for one of our servers, but still see many connections that use NTLM.
public class SunJaasKerberosTicketValidator extends java.lang.Object implements KerberosTicketValidator, org.springframework.beans.factory.InitializingBean. Implementation of KerberosTicketValidator which uses the SUN JAAS login module, which is included in the SUN JRE, it will not work with an IBM JRE.
SPNEGO authentication in the Liberty server sees the HTTP header with the SPNEGO token, validates the SPNEGO token, and gets the identity (principal) of the user. After the Liberty server gets the identity of the user, it validates the user in its user registry and performs the authorization checks.
Spring Security Kerberos is an extension of Spring Security for application developers to Kerberos concepts with Spring.
Basically, you need to set up your krb5.conf
file properly. You can verify that configuration via the following command and entering your password:
kinit <user-name>
Additionally, make sure you have a JDBC URL like:
jdbc:sqlserver://servername=server_name;integratedSecurity=true;authenticationScheme=JavaKerberos;userName=user@REALM;password=****
See Microsoft JDBC driver documentation for details.
EDIT:
Forgot to mention the startup arguments. Add the following JVM argument:
-Djava.security.krb5.conf=<PATH_TO>/krb5.conf
I believe this is not neccessary if you use the default krb5.conf
but not entirely sure.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With