Skip to main content

Integrated/Kerberos authentication using Spring boot and SPNEGO API

In this tutorial we will learn how to use Spring boot and SPNEGO API to implement the kerberos or integrated authentication. Kerberos is developed by Massachusetts Institute of Technology (MIT) which is used to authenticate between trusted services using KDC tickets. For example email client, HR portal or employee portal in a corporate network where employee doesn't need to provide their user id & password to access these application in the same domain. Once they are logged in to their machine, they can access such services/application with kerberos authentication.
I am using MAC OS X to demonstrate the kerberos authentication. I have used the same machine to configure and run the application backed with kerberos authentication and my KDC database & application reside on the same machine.

Setting up kerberos 

First of all we need to setup kerberos where we will configure the database, create user principals, create policies and keytabs. We need to create our application user and application domain which are used by application to retrieve the authenticated user details from trusted KDC. Please refer below link on how to configure Kerberos on MAC OS X for complete details and here we will focus on our application which will use kerberos authentication but first of all we need to configure the kerberos.
Setting up Kerberos in Mac OS X

Spring boot application using SPNEGO API

We will create a web application using Spring boot and use SPNEGO API for integrated/ kerberos authentication. Below is the project structure.
kerberos project

Maven dependencies

Spring security and kerberos related dependencies:



Spring boot web dependencies:



Application properties (application.yml)

Below is the complete code of properties file. Here we need to configure two things for kerberos, one is user principal and another is keytab file location. Here "myserver.localhost" is our application domain.
    port: 8080
    service-principal: HTTP/myserver.localhost@MYSERVER.LOCALHOST
    keytab-location: file:/Users/macuser/krb5/conf/krb5.keytab TRACE

spring.mvc.view.prefix: /WEB-INF/pages/
spring.mvc.view.suffix: .html

server.servlet-path: / (Main class)

public class KerberosAuthTutorialApplication extends SpringBootServletInitializer{

 protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
  return application.sources(KerberosAuthTutorialApplication.class);

 public static void main(String[] args) {, args);
} (Security configurations)

Class and properties declaration:
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    private String servicePrincipal;

    private String keytabLocation;
Defining View resolver:
    public ViewResolver getViewResolver() {
        InternalResourceViewResolver resolver = new InternalResourceViewResolver();
        return resolver;
Spring security configuration:
    protected void configure(HttpSecurity http) throws Exception {

                    .antMatchers("/", "/home").permitAll()
SPNEGO and kerberos security bean configurations:
    public SpnegoEntryPoint spnegoEntryPoint() {
        return new SpnegoEntryPoint("/auth/login");


    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();

    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

    public KerberosAuthenticationProvider kerberosAuthenticationProvider() {
        KerberosAuthenticationProvider provider = new KerberosAuthenticationProvider();
        SunJaasKerberosClient client = new SunJaasKerberosClient();
        return provider;

    public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
            AuthenticationManager authenticationManager) {
        SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();

        return filter;

    public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider()throws MalformedURLException {
        KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
        return provider;

    public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator()throws MalformedURLException {
        SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
        ticketValidator.setKeyTabLocation(new UrlResource(keytabLocation));
        return ticketValidator;

    public UserDetailsService kerbUserDetailsService() {
        return (username)->{
                return new User(username, "notUsed", true, true,
                        true, true, AuthorityUtils.createAuthorityList("ROLE_USER"));
} (REST service)

public class SampleRestController {
    public String sayHello(HttpServletRequest req){
        System.out.println("User: "+req.getRemoteUser());
        return "Hello, you are welcome!!!";
} (Login page endpoint configuration)

public class SpringController {
    public String login(){
        return "loginpage";

loginpage.jsp (Spring login page UI)

<!DOCTYPE html>
<html xmlns="" xmlns:th=""
        <title>Spring Security Kerberos Example</title>
    <body style="text-align:center">
        <form action="/login" method="post">
            <div><label> User Name : <input type="text" name="username"/> </label></div>
            <div><label> Password: <input type="password" name="password"/> </label></div>
            <div><input type="submit" value="Sign In"/></div>

Running application

Now in your project root execute below maven command to run the application.
Once application is started, you can see below statement in console or log.
2019-12-30 21:11:31.641 DEBUG 6716 --- [           main] w.a.SpnegoAuthenticationProcessingFilter : Filter 'spnegoAuthenticationProcessingFilter' configured for use
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /Users/macuser/krb5/conf/krb5.keytab refreshKrb5Config is false principal is HTTP/myserver.localhost@MYSERVER.LOCALHOST tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is HTTP/myserver.localhost@MYSERVER.LOCALHOST
Will use keytab
Commit Succeeded 
Now open Safari browser in your Mac machine and open URL http://myserver.localhost:8080/rest/hello. You will see below output in browser without providing any credentials to it.
kerberos output
In logs or console, your will see similar output as given below where it prints the logged in user.

GIT Source code

Complete source code is available at below GIT hub URL.


  1. IEEE Final Year projects Project Centers in Chennai are consistently sought after. Final Year Students Projects take a shot at them to improve their aptitudes, while specialists like the enjoyment in interfering with innovation. For experts, it's an alternate ball game through and through. Smaller than expected IEEE Final Year project centers ground for all fragments of CSE & IT engineers hoping to assemble. Final Year Projects for CSE It gives you tips and rules that is progressively critical to consider while choosing any final year project point.

    Spring Framework has already made serious inroads as an integrated technology stack for building user-facing applications. Spring Framework Corporate TRaining the authors explore the idea of using Java in Big Data platforms.
    Specifically, Spring Framework provides various tasks are geared around preparing data for further analysis and visualization. Spring Training in Chennai

    The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

  2. I couldn't able to make it work. Always prompting login screen. Below is the log entry.
    2021-04-19 06:19:55.000 DEBUG 1601 --- [nio-8080-exec-1] : /rest/hello at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
    2021-04-19 06:19:55.000 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: ' Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: RemoteIpAddress:; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
    2021-04-19 06:19:55.001 DEBUG 1601 --- [nio-8080-exec-1] : /rest/hello at position 11 of 13 in additional filter chain; firing Filter: 'SessionManagementFilter'
    2021-04-19 06:19:55.001 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.session.SessionManagementFilter : Requested session ID 6F99288950CD0B6104A69A374FCA6116 is invalid.
    2021-04-19 06:19:55.001 DEBUG 1601 --- [nio-8080-exec-1] : /rest/hello at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
    2021-04-19 06:19:55.001 DEBUG 1601 --- [nio-8080-exec-1] : /rest/hello at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
    2021-04-19 06:19:55.001 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /rest/hello' doesn't match 'POST /logout'
    2021-04-19 06:19:55.002 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/rest/hello'; against '/'
    2021-04-19 06:19:55.002 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/rest/hello'; against '/home'
    2021-04-19 06:19:55.002 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /rest/hello; Attributes: [authenticated]
    2021-04-19 06:19:55.002 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: RemoteIpAddress:; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
    2021-04-19 06:19:55.052 DEBUG 1601 --- [nio-8080-exec-1] : Voter:, returned: -1
    2021-04-19 06:19:55.056 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point

    1. you can use the command as "curl --negoctiate -u : http://myserver.localhost:8080/rest/hello" then It will work as well

    2. If you use Chrome then please open chrome with parameter: —auth-server-whitelist=“*”

  3. Hi Rajiv,

    I get the exact same issue using the KerberosRestTemplate, but when I use curl with --negotiate it works well. still trying to find the reason for this, let me know if you were able to solve the above error

  4. This comment has been removed by the author.

  5. Hi, I do like guideline, I go to http://myserver.localhost:8080/rest/hello and I always get errors as: Access is denied (user is anonymous); redirecting to authentication entry point.
    Who know the solution to solve this issue please let me know
    Thanks so much for your help


Post a Comment

Popular Posts

Setting up kerberos in Mac OS X

Kerberos in MAC OS X Kerberos authentication allows the computers in same domain network to authenticate certain services with prompting the user for credentials. MAC OS X comes with Heimdal Kerberos which is an alternate implementation of the kerberos and uses LDAP as identity management database. Here we are going to learn how to setup a kerberos on MAC OS X which we will configure latter in our application. Installing Kerberos In MAC we can use Homebrew for installing any software package. Homebrew makes it very easy to install the kerberos by just executing a simple command as given below. brew install krb5 Once installation is complete, we need to set the below export commands in user's profile which will make the kerberos utility commands and compiler available to execute from anywhere. Open user's bash profile: vi ~/.bash_profile Add below lines: export PATH=/usr/local/opt/krb5/bin:$PATH export PATH=/usr/local/opt/krb5/sbin:$PATH export LDFLAGS=&

SpringBoot - @ConditionalOnProperty example for conditional bean initialization

@ConditionalOnProperty annotation is used to check if specified property available in the environment or it matches some specific value so it can control the execution of some part of code like bean creation. It may be useful in many cases for example enable/disable service if specific property is available. Below are the attributes which can be used for property check. havingValue - Provide the value which need to check against specified property otherwise it will check that value should not be false. matchIfMissing - If true it will match the condition and execute the annotated code when property itself is not available in environment. name - Name of the property to be tested. If you want to test single property then you can directly put the property name as string like "" and if you have multiple properties to test then you can put the names like {"prop.name1","prop.name2"} prefix - It can be use when you want to apply some prefix to

Why HashMap key should be immutable in java

HashMap is used to store the data in key, value pair where key is unique and value can be store or retrieve using the key. Any class can be a candidate for the map key if it follows below rules. 1. Overrides hashcode() and equals() method.   Map stores the data using hashcode() and equals() method from key. To store a value against a given key, map first calls key's hashcode() and then uses it to calculate the index position in backed array by applying some hashing function. For each index position it has a bucket which is a LinkedList and changed to Node from java 8. Then it will iterate through all the element and will check the equality with key by calling it's equals() method if a match is found, it will update the value with the new value otherwise it will add the new entry with given key and value. In the same way it check for the existing key when get() is called. If it finds a match for given key in the bucket with given hashcode(), it will return the value other

jaxb2-maven-plugin to generate java code from XSD schema

In this tutorial I will show how to generate the Java source code from XSD schema. I will use jaxb2-maven-plugin to generate the code using XSD file which will be declared in pom.xml to make it part of build, so when maven build is executed it will generate the java code using XSD. Class generation can be controlled in plugin configuration. Maven changes (pom.xml) Include below plugin in your pom.xml. Here we have done some configuration under configuration section as given below. schemaDirectory : This is the directory where I keep my schema (XSD file). outputDirectory : This is the java source location where I want to generate the Java files. If it is not given then by default it will be generate inside target folder. clearOutputDir : If this property is true then it will generate the classes on each build otherwise it will generate only if output directory is empty. <plugin> <groupId>org.codehaus.mojo</groupId> <artifactId>jaxb2-maven-plugin</art