Skip to main content

Integrated/Kerberos authentication using Spring boot and SPNEGO API

In this tutorial we will learn how to use Spring boot and SPNEGO API to implement the kerberos or integrated authentication. Kerberos is developed by Massachusetts Institute of Technology (MIT) which is used to authenticate between trusted services using KDC tickets. For example email client, HR portal or employee portal in a corporate network where employee doesn't need to provide their user id & password to access these application in the same domain. Once they are logged in to their machine, they can access such services/application with kerberos authentication.
I am using MAC OS X to demonstrate the kerberos authentication. I have used the same machine to configure and run the application backed with kerberos authentication and my KDC database & application reside on the same machine.

Setting up kerberos 

First of all we need to setup kerberos where we will configure the database, create user principals, create policies and keytabs. We need to create our application user and application domain which are used by application to retrieve the authenticated user details from trusted KDC. Please refer below link on how to configure Kerberos on MAC OS X for complete details and here we will focus on our application which will use kerberos authentication but first of all we need to configure the kerberos.
Setting up Kerberos in Mac OS X

Spring boot application using SPNEGO API

We will create a web application using Spring boot and use SPNEGO API for integrated/ kerberos authentication. Below is the project structure.
kerberos project

Maven dependencies

Spring security and kerberos related dependencies:



Spring boot web dependencies:



Application properties (application.yml)

Below is the complete code of properties file. Here we need to configure two things for kerberos, one is user principal and another is keytab file location. Here "myserver.localhost" is our application domain.
    port: 8080
    service-principal: HTTP/myserver.localhost@MYSERVER.LOCALHOST
    keytab-location: file:/Users/macuser/krb5/conf/krb5.keytab TRACE

spring.mvc.view.prefix: /WEB-INF/pages/
spring.mvc.view.suffix: .html

server.servlet-path: / (Main class)

public class KerberosAuthTutorialApplication extends SpringBootServletInitializer{

 protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
  return application.sources(KerberosAuthTutorialApplication.class);

 public static void main(String[] args) {, args);
} (Security configurations)

Class and properties declaration:
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    private String servicePrincipal;

    private String keytabLocation;
Defining View resolver:
    public ViewResolver getViewResolver() {
        InternalResourceViewResolver resolver = new InternalResourceViewResolver();
        return resolver;
Spring security configuration:
    protected void configure(HttpSecurity http) throws Exception {

                    .antMatchers("/", "/home").permitAll()
SPNEGO and kerberos security bean configurations:
    public SpnegoEntryPoint spnegoEntryPoint() {
        return new SpnegoEntryPoint("/auth/login");


    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();

    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

    public KerberosAuthenticationProvider kerberosAuthenticationProvider() {
        KerberosAuthenticationProvider provider = new KerberosAuthenticationProvider();
        SunJaasKerberosClient client = new SunJaasKerberosClient();
        return provider;

    public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
            AuthenticationManager authenticationManager) {
        SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();

        return filter;

    public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider()throws MalformedURLException {
        KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
        return provider;

    public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator()throws MalformedURLException {
        SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
        ticketValidator.setKeyTabLocation(new UrlResource(keytabLocation));
        return ticketValidator;

    public UserDetailsService kerbUserDetailsService() {
        return (username)->{
                return new User(username, "notUsed", true, true,
                        true, true, AuthorityUtils.createAuthorityList("ROLE_USER"));
} (REST service)

public class SampleRestController {
    public String sayHello(HttpServletRequest req){
        System.out.println("User: "+req.getRemoteUser());
        return "Hello, you are welcome!!!";
} (Login page endpoint configuration)

public class SpringController {
    public String login(){
        return "loginpage";

loginpage.jsp (Spring login page UI)

<!DOCTYPE html>
<html xmlns="" xmlns:th=""
        <title>Spring Security Kerberos Example</title>
    <body style="text-align:center">
        <form action="/login" method="post">
            <div><label> User Name : <input type="text" name="username"/> </label></div>
            <div><label> Password: <input type="password" name="password"/> </label></div>
            <div><input type="submit" value="Sign In"/></div>

Running application

Now in your project root execute below maven command to run the application.
Once application is started, you can see below statement in console or log.
2019-12-30 21:11:31.641 DEBUG 6716 --- [           main] w.a.SpnegoAuthenticationProcessingFilter : Filter 'spnegoAuthenticationProcessingFilter' configured for use
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /Users/macuser/krb5/conf/krb5.keytab refreshKrb5Config is false principal is HTTP/myserver.localhost@MYSERVER.LOCALHOST tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is HTTP/myserver.localhost@MYSERVER.LOCALHOST
Will use keytab
Commit Succeeded 
Now open Safari browser in your Mac machine and open URL http://myserver.localhost:8080/rest/hello. You will see below output in browser without providing any credentials to it.
kerberos output
In logs or console, your will see similar output as given below where it prints the logged in user.

GIT Source code

Complete source code is available at below GIT hub URL.


Popular Posts

SpringBoot - @ConditionalOnProperty example for conditional bean initialization

@ConditionalOnProperty annotation is used to check if specified property available in the environment or it matches some specific value so it can control the execution of some part of code like bean creation. It may be useful in many cases for example enable/disable service if specific property is available. Below are the attributes which can be used for property check.
havingValue - Provide the value which need to check against specified property otherwise it will check that value should not be false.matchIfMissing - If true it will match the condition and execute the annotated code when property itself is not available in - Name of the property to be tested. If you want to test single property then you can directly put the property name as string like "" and if you have multiple properties to test then you can put the names like {"prop.name1","prop.name2"}prefix - It can be use when you want to apply some prefix to all prop…

Asynchronous REST service implementation in Spring boot

In this tutorial we will see how to create an asynchronous REST service endpoint using Spring boot application.
Asynchronous service works in a way that it will not block the client request and do the processing in separate thread. When work is complete the response returned to the client so our service will be able to handle more client requests at the same time, compare to synchronous processing model.
Let's understand how it is working in synchronous mode. In such server/client application at server side it has a pool of threads which are serving the request. If a request received by a thread then it will be blocked until it send the response back to client. In this case if processing doesn't take much time it will be able to process it quickly and accept other client requests but there could be one situation when all threads are busy and not able to accept the new client requests.

To overcome of such problems, asynchronous processing model introduced for REST services. In…

Entity to DTO conversion in Java using Jackson

It's very common to have the DTO class for a given entity in any application. When persisting data, we use entity objects and when we need to provide the data to end user/application we use DTO class. Due to this we may need to have similar properties on DTO class as we have in our Entity class and to share the data we populate DTO objects using entity objects. To do this we may need to call getter on entity and then setter on DTO for the same data which increases number of code line. Also if number of DTOs are high then we need to write lot of code to just get and set the values or vice-versa.
To overcome this problem we are going to use Jackson API and will see how to do it with minimal code only.
Maven dependency <dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> <version>2.9.9</version> </dependency> Entity class Below is our ent…

Web scraper using JSoup and Spring Boot

What is webscraping Webscraping is a technique to extract or pull the data from a website to gather required information by parsing the HTML source of their websites, such as articles from news or books site, products information from online shopping sites or course information from education sites. There are many organisations who uses web scraper to provide the best experience to their customers, for example extract the price for a smartphone from multiple online websites and show their customers the best and cheap product URL.
We will learn here how to code a web scraper by developing a simple new scraper service.
News scraper News scraper is used to extract the news articles or other related contents from a news site. Here we are going to create a web scraper application to pull the articles from news site.
Below are the operations provided by our news scraper service.
List all the authorsSearch articles by author nameSearch articles by article titleSearch articles by article desc…