Skip to main content

Integrated/Kerberos authentication using Spring boot and SPNEGO API

In this tutorial we will learn how to use Spring boot and SPNEGO API to implement the kerberos or integrated authentication. Kerberos is developed by Massachusetts Institute of Technology (MIT) which is used to authenticate between trusted services using KDC tickets. For example email client, HR portal or employee portal in a corporate network where employee doesn't need to provide their user id & password to access these application in the same domain. Once they are logged in to their machine, they can access such services/application with kerberos authentication.
I am using MAC OS X to demonstrate the kerberos authentication. I have used the same machine to configure and run the application backed with kerberos authentication and my KDC database & application reside on the same machine.

Setting up kerberos 

First of all we need to setup kerberos where we will configure the database, create user principals, create policies and keytabs. We need to create our application user and application domain which are used by application to retrieve the authenticated user details from trusted KDC. Please refer below link on how to configure Kerberos on MAC OS X for complete details and here we will focus on our application which will use kerberos authentication but first of all we need to configure the kerberos.
Setting up Kerberos in Mac OS X

Spring boot application using SPNEGO API

We will create a web application using Spring boot and use SPNEGO API for integrated/ kerberos authentication. Below is the project structure.
kerberos project

Maven dependencies

Spring security and kerberos related dependencies:
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.security.kerberos</groupId>
            <artifactId>spring-security-kerberos-web</artifactId>
            <version>1.0.1.RELEASE</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.security.kerberos</groupId>
            <artifactId>spring-security-kerberos-core</artifactId>
            <version>1.0.1.RELEASE</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.security.kerberos</groupId>
            <artifactId>spring-security-kerberos-client</artifactId>
            <version>1.0.1.RELEASE</version>
        </dependency>
Spring boot web dependencies:
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.apache.tomcat.embed</groupId>
            <artifactId>tomcat-embed-jasper</artifactId>
            <scope>provided</scope>
        </dependency>

        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>jstl</artifactId>
            <scope>provided</scope>
        </dependency>

Application properties (application.yml)

Below is the complete code of properties file. Here we need to configure two things for kerberos, one is user principal and another is keytab file location. Here "myserver.localhost" is our application domain.
server:
    port: 8080
app:
    service-principal: HTTP/myserver.localhost@MYSERVER.LOCALHOST
    keytab-location: file:/Users/macuser/krb5/conf/krb5.keytab

logging.level.org.springframework.security: TRACE

spring.mvc.view.prefix: /WEB-INF/pages/
spring.mvc.view.suffix: .html

server.servlet-path: /

KerberosAuthTutorialApplication.java (Main class)

@SpringBootApplication
@EnableWebMvc
public class KerberosAuthTutorialApplication extends SpringBootServletInitializer{

 @Override
 protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
  return application.sources(KerberosAuthTutorialApplication.class);
 }

 public static void main(String[] args) {
  SpringApplication.run(KerberosAuthTutorialApplication.class, args);
 }
}

WebSecurityConfig.java (Security configurations)

Class and properties declaration:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Value("${app.service-principal}")
    private String servicePrincipal;

    @Value("${app.keytab-location}")
    private String keytabLocation;
Defining View resolver:
    @Bean
    public ViewResolver getViewResolver() {
        InternalResourceViewResolver resolver = new InternalResourceViewResolver();
        resolver.setPrefix("/WEB-INF/pages/");
        resolver.setSuffix(".jsp");
        return resolver;
    }
Spring security configuration:
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .addFilterBefore(
                        spnegoAuthenticationProcessingFilter(authenticationManagerBean()),
                        BasicAuthenticationFilter.class)

                .exceptionHandling()
                    .authenticationEntryPoint(spnegoEntryPoint())
                    .and()
                .authorizeRequests()
                    .antMatchers("/", "/home").permitAll()
                    .anyRequest().authenticated()
                    .and()
                .formLogin()
                    .loginPage("/auth/login").permitAll()
                    .and()
                .logout()
                    .permitAll();
    }
SPNEGO and kerberos security bean configurations:
    @Bean
    public SpnegoEntryPoint spnegoEntryPoint() {
        return new SpnegoEntryPoint("/auth/login");

    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(kerberosAuthenticationProvider())
            .authenticationProvider(kerberosServiceAuthenticationProvider())
            .userDetailsService(kerbUserDetailsService());
    }

    @Bean
    public KerberosAuthenticationProvider kerberosAuthenticationProvider() {
        KerberosAuthenticationProvider provider = new KerberosAuthenticationProvider();
        SunJaasKerberosClient client = new SunJaasKerberosClient();
        client.setDebug(true);
        provider.setKerberosClient(client);
        provider.setUserDetailsService(kerbUserDetailsService());
        return provider;
    }

    @Bean
    public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
            AuthenticationManager authenticationManager) {
        SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
        filter.setAuthenticationManager(authenticationManager);

        return filter;
    }

    @Bean
    public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider()throws MalformedURLException {
        KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
        provider.setTicketValidator(sunJaasKerberosTicketValidator());
        provider.setUserDetailsService(kerbUserDetailsService());
        return provider;
    }

    @Bean
    public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator()throws MalformedURLException {
        SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
        ticketValidator.setServicePrincipal(servicePrincipal);
        ticketValidator.setKeyTabLocation(new UrlResource(keytabLocation));
        ticketValidator.setDebug(true);
        return ticketValidator;
    }

    @Bean
    public UserDetailsService kerbUserDetailsService() {
        return (username)->{
                return new User(username, "notUsed", true, true,
                        true, true, AuthorityUtils.createAuthorityList("ROLE_USER"));
        };
    }
}

SampleRestController.java (REST service)

@RestController
@RequestMapping("/rest")
public class SampleRestController {
    @GetMapping("/hello")
    public String sayHello(HttpServletRequest req){
        System.out.println("User: "+req.getRemoteUser());
        return "Hello, you are welcome!!!";
    }
}

SpringController.java (Login page endpoint configuration)

@Controller
@RequestMapping("/auth")
public class SpringController {
    @RequestMapping("/login")
    public String login(){
        return "loginpage";
    }
}

loginpage.jsp (Spring login page UI)

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"
      xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
    <head>
        <title>Spring Security Kerberos Example</title>
    </head>
    <body style="text-align:center">
        <form action="/login" method="post">
            <div><label> User Name : <input type="text" name="username"/> </label></div>
            <div><label> Password: <input type="password" name="password"/> </label></div>
            <div><input type="submit" value="Sign In"/></div>
        </form>
    </body>
</html>

Running application

Now in your project root execute below maven command to run the application.
spring-boot:run
Once application is started, you can see below statement in console or log.
2019-12-30 21:11:31.641 DEBUG 6716 --- [           main] w.a.SpnegoAuthenticationProcessingFilter : Filter 'spnegoAuthenticationProcessingFilter' configured for use
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /Users/macuser/krb5/conf/krb5.keytab refreshKrb5Config is false principal is HTTP/myserver.localhost@MYSERVER.LOCALHOST tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is HTTP/myserver.localhost@MYSERVER.LOCALHOST
Will use keytab
Commit Succeeded 
Now open Safari browser in your Mac machine and open URL http://myserver.localhost:8080/rest/hello. You will see below output in browser without providing any credentials to it.
kerberos output
In logs or console, your will see similar output as given below where it prints the logged in user.
User: macuser@MYSERVER.LOCALHOST

GIT Source code

Complete source code is available at below GIT hub URL.
https://github.com/thetechnojournals/spring-tutorials/tree/master/KerberosAuthTutorial

Comments

  1. IEEE Final Year projects Project Centers in Chennai are consistently sought after. Final Year Students Projects take a shot at them to improve their aptitudes, while specialists like the enjoyment in interfering with innovation. For experts, it's an alternate ball game through and through. Smaller than expected IEEE Final Year project centers ground for all fragments of CSE & IT engineers hoping to assemble. Final Year Projects for CSE It gives you tips and rules that is progressively critical to consider while choosing any final year project point.

    Spring Framework has already made serious inroads as an integrated technology stack for building user-facing applications. Spring Framework Corporate TRaining the authors explore the idea of using Java in Big Data platforms.
    Specifically, Spring Framework provides various tasks are geared around preparing data for further analysis and visualization. Spring Training in Chennai


    The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

    ReplyDelete

Post a comment

Popular Posts

SpringBoot - @ConditionalOnProperty example for conditional bean initialization

@ConditionalOnProperty annotation is used to check if specified property available in the environment or it matches some specific value so it can control the execution of some part of code like bean creation. It may be useful in many cases for example enable/disable service if specific property is available. Below are the attributes which can be used for property check.
havingValue - Provide the value which need to check against specified property otherwise it will check that value should not be false.matchIfMissing - If true it will match the condition and execute the annotated code when property itself is not available in environment.name - Name of the property to be tested. If you want to test single property then you can directly put the property name as string like "property.name" and if you have multiple properties to test then you can put the names like {"prop.name1","prop.name2"}prefix - It can be use when you want to apply some prefix to all prop…

Asynchronous REST service implementation in Spring boot

In this tutorial we will see how to create an asynchronous REST service endpoint using Spring boot application.
Asynchronous service works in a way that it will not block the client request and do the processing in separate thread. When work is complete the response returned to the client so our service will be able to handle more client requests at the same time, compare to synchronous processing model.
Let's understand how it is working in synchronous mode. In such server/client application at server side it has a pool of threads which are serving the request. If a request received by a thread then it will be blocked until it send the response back to client. In this case if processing doesn't take much time it will be able to process it quickly and accept other client requests but there could be one situation when all threads are busy and not able to accept the new client requests.

To overcome of such problems, asynchronous processing model introduced for REST services. In…

Entity to DTO conversion in Java using Jackson

It's very common to have the DTO class for a given entity in any application. When persisting data, we use entity objects and when we need to provide the data to end user/application we use DTO class. Due to this we may need to have similar properties on DTO class as we have in our Entity class and to share the data we populate DTO objects using entity objects. To do this we may need to call getter on entity and then setter on DTO for the same data which increases number of code line. Also if number of DTOs are high then we need to write lot of code to just get and set the values or vice-versa.
To overcome this problem we are going to use Jackson API and will see how to do it with minimal code only.
Maven dependency <dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> <version>2.9.9</version> </dependency> Entity class Below is our ent…

Setting up kerberos in Mac OS X

Kerberos in MAC OS X Kerberos authentication allows the computers in same domain network to authenticate certain services with prompting the user for credentials. MAC OS X comes with Heimdal Kerberos which is an alternate implementation of the kerberos and uses LDAP as identity management database.
Here we are going to learn how to setup a kerberos on MAC OS X which we will configure latter in our application.
Installing Kerberos In MAC we can use Homebrew for installing any software package. Homebrew makes it very easy to install the kerberos by just executing a simple command as given below.
brew install krb5 Once installation is complete, we need to set the below export commands in user's profile which will make the kerberos utility commands and compiler available to execute from anywhere.
Open user's bash profile:
vi ~/.bash_profile Add below lines:
export PATH=/usr/local/opt/krb5/bin:$PATH export PATH=/usr/local/opt/krb5/sbin:$PATH export LDFLAGS="-L/usr/lo…