Skip to main content

Integrated/Kerberos authentication using Spring boot and SPNEGO API

In this tutorial we will learn how to use Spring boot and SPNEGO API to implement the kerberos or integrated authentication. Kerberos is developed by Massachusetts Institute of Technology (MIT) which is used to authenticate between trusted services using KDC tickets. For example email client, HR portal or employee portal in a corporate network where employee doesn't need to provide their user id & password to access these application in the same domain. Once they are logged in to their machine, they can access such services/application with kerberos authentication.
I am using MAC OS X to demonstrate the kerberos authentication. I have used the same machine to configure and run the application backed with kerberos authentication and my KDC database & application reside on the same machine.

Setting up kerberos 

First of all we need to setup kerberos where we will configure the database, create user principals, create policies and keytabs. We need to create our application user and application domain which are used by application to retrieve the authenticated user details from trusted KDC. Please refer below link on how to configure Kerberos on MAC OS X for complete details and here we will focus on our application which will use kerberos authentication but first of all we need to configure the kerberos.
Setting up Kerberos in Mac OS X

Spring boot application using SPNEGO API

We will create a web application using Spring boot and use SPNEGO API for integrated/ kerberos authentication. Below is the project structure.
kerberos project

Maven dependencies

Spring security and kerberos related dependencies:



Spring boot web dependencies:



Application properties (application.yml)

Below is the complete code of properties file. Here we need to configure two things for kerberos, one is user principal and another is keytab file location. Here "myserver.localhost" is our application domain.
    port: 8080
    service-principal: HTTP/myserver.localhost@MYSERVER.LOCALHOST
    keytab-location: file:/Users/macuser/krb5/conf/krb5.keytab TRACE

spring.mvc.view.prefix: /WEB-INF/pages/
spring.mvc.view.suffix: .html

server.servlet-path: / (Main class)

public class KerberosAuthTutorialApplication extends SpringBootServletInitializer{

 protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
  return application.sources(KerberosAuthTutorialApplication.class);

 public static void main(String[] args) {, args);
} (Security configurations)

Class and properties declaration:
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    private String servicePrincipal;

    private String keytabLocation;
Defining View resolver:
    public ViewResolver getViewResolver() {
        InternalResourceViewResolver resolver = new InternalResourceViewResolver();
        return resolver;
Spring security configuration:
    protected void configure(HttpSecurity http) throws Exception {

                    .antMatchers("/", "/home").permitAll()
SPNEGO and kerberos security bean configurations:
    public SpnegoEntryPoint spnegoEntryPoint() {
        return new SpnegoEntryPoint("/auth/login");


    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();

    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

    public KerberosAuthenticationProvider kerberosAuthenticationProvider() {
        KerberosAuthenticationProvider provider = new KerberosAuthenticationProvider();
        SunJaasKerberosClient client = new SunJaasKerberosClient();
        return provider;

    public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
            AuthenticationManager authenticationManager) {
        SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();

        return filter;

    public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider()throws MalformedURLException {
        KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
        return provider;

    public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator()throws MalformedURLException {
        SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
        ticketValidator.setKeyTabLocation(new UrlResource(keytabLocation));
        return ticketValidator;

    public UserDetailsService kerbUserDetailsService() {
        return (username)->{
                return new User(username, "notUsed", true, true,
                        true, true, AuthorityUtils.createAuthorityList("ROLE_USER"));
} (REST service)

public class SampleRestController {
    public String sayHello(HttpServletRequest req){
        System.out.println("User: "+req.getRemoteUser());
        return "Hello, you are welcome!!!";
} (Login page endpoint configuration)

public class SpringController {
    public String login(){
        return "loginpage";

loginpage.jsp (Spring login page UI)

<!DOCTYPE html>
<html xmlns="" xmlns:th=""
        <title>Spring Security Kerberos Example</title>
    <body style="text-align:center">
        <form action="/login" method="post">
            <div><label> User Name : <input type="text" name="username"/> </label></div>
            <div><label> Password: <input type="password" name="password"/> </label></div>
            <div><input type="submit" value="Sign In"/></div>

Running application

Now in your project root execute below maven command to run the application.
Once application is started, you can see below statement in console or log.
2019-12-30 21:11:31.641 DEBUG 6716 --- [           main] w.a.SpnegoAuthenticationProcessingFilter : Filter 'spnegoAuthenticationProcessingFilter' configured for use
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /Users/macuser/krb5/conf/krb5.keytab refreshKrb5Config is false principal is HTTP/myserver.localhost@MYSERVER.LOCALHOST tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is HTTP/myserver.localhost@MYSERVER.LOCALHOST
Will use keytab
Commit Succeeded 
Now open Safari browser in your Mac machine and open URL http://myserver.localhost:8080/rest/hello. You will see below output in browser without providing any credentials to it.
kerberos output
In logs or console, your will see similar output as given below where it prints the logged in user.

GIT Source code

Complete source code is available at below GIT hub URL.


  1. IEEE Final Year projects Project Centers in Chennai are consistently sought after. Final Year Students Projects take a shot at them to improve their aptitudes, while specialists like the enjoyment in interfering with innovation. For experts, it's an alternate ball game through and through. Smaller than expected IEEE Final Year project centers ground for all fragments of CSE & IT engineers hoping to assemble. Final Year Projects for CSE It gives you tips and rules that is progressively critical to consider while choosing any final year project point.

    Spring Framework has already made serious inroads as an integrated technology stack for building user-facing applications. Spring Framework Corporate TRaining the authors explore the idea of using Java in Big Data platforms.
    Specifically, Spring Framework provides various tasks are geared around preparing data for further analysis and visualization. Spring Training in Chennai

    The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

  2. I couldn't able to make it work. Always prompting login screen. Below is the log entry.
    2021-04-19 06:19:55.000 DEBUG 1601 --- [nio-8080-exec-1] : /rest/hello at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
    2021-04-19 06:19:55.000 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: ' Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: RemoteIpAddress:; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
    2021-04-19 06:19:55.001 DEBUG 1601 --- [nio-8080-exec-1] : /rest/hello at position 11 of 13 in additional filter chain; firing Filter: 'SessionManagementFilter'
    2021-04-19 06:19:55.001 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.session.SessionManagementFilter : Requested session ID 6F99288950CD0B6104A69A374FCA6116 is invalid.
    2021-04-19 06:19:55.001 DEBUG 1601 --- [nio-8080-exec-1] : /rest/hello at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
    2021-04-19 06:19:55.001 DEBUG 1601 --- [nio-8080-exec-1] : /rest/hello at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
    2021-04-19 06:19:55.001 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /rest/hello' doesn't match 'POST /logout'
    2021-04-19 06:19:55.002 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/rest/hello'; against '/'
    2021-04-19 06:19:55.002 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/rest/hello'; against '/home'
    2021-04-19 06:19:55.002 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /rest/hello; Attributes: [authenticated]
    2021-04-19 06:19:55.002 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: RemoteIpAddress:; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
    2021-04-19 06:19:55.052 DEBUG 1601 --- [nio-8080-exec-1] : Voter:, returned: -1
    2021-04-19 06:19:55.056 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point

  3. Hi Rajiv,

    I get the exact same issue using the KerberosRestTemplate, but when I use curl with --negotiate it works well. still trying to find the reason for this, let me know if you were able to solve the above error


Post a Comment

Popular Posts

Setting up kerberos in Mac OS X

Kerberos in MAC OS X Kerberos authentication allows the computers in same domain network to authenticate certain services with prompting the user for credentials. MAC OS X comes with Heimdal Kerberos which is an alternate implementation of the kerberos and uses LDAP as identity management database. Here we are going to learn how to setup a kerberos on MAC OS X which we will configure latter in our application. Installing Kerberos In MAC we can use Homebrew for installing any software package. Homebrew makes it very easy to install the kerberos by just executing a simple command as given below. brew install krb5 Once installation is complete, we need to set the below export commands in user's profile which will make the kerberos utility commands and compiler available to execute from anywhere. Open user's bash profile: vi ~/.bash_profile Add below lines: export PATH=/usr/local/opt/krb5/bin:$PATH export PATH=/usr/local/opt/krb5/sbin:$PATH export LDFLAGS=&

jaxb2-maven-plugin to generate java code from XSD schema

In this tutorial I will show how to generate the Java source code from XSD schema. I will use jaxb2-maven-plugin to generate the code using XSD file which will be declared in pom.xml to make it part of build, so when maven build is executed it will generate the java code using XSD. Class generation can be controlled in plugin configuration. Maven changes (pom.xml) Include below plugin in your pom.xml. Here we have done some configuration under configuration section as given below. schemaDirectory : This is the directory where I keep my schema (XSD file). outputDirectory : This is the java source location where I want to generate the Java files. If it is not given then by default it will be generate inside target folder. clearOutputDir : If this property is true then it will generate the classes on each build otherwise it will generate only if output directory is empty. <plugin> <groupId>org.codehaus.mojo</groupId> <artifactId>jaxb2-maven-plugin</art

SpringBoot - @ConditionalOnProperty example for conditional bean initialization

@ConditionalOnProperty annotation is used to check if specified property available in the environment or it matches some specific value so it can control the execution of some part of code like bean creation. It may be useful in many cases for example enable/disable service if specific property is available. Below are the attributes which can be used for property check. havingValue - Provide the value which need to check against specified property otherwise it will check that value should not be false. matchIfMissing - If true it will match the condition and execute the annotated code when property itself is not available in environment. name - Name of the property to be tested. If you want to test single property then you can directly put the property name as string like "" and if you have multiple properties to test then you can put the names like {"prop.name1","prop.name2"} prefix - It can be use when you want to apply some prefix to

Asynchronous REST service implementation in Spring boot

In this tutorial we will see how to create an asynchronous REST service endpoint using Spring boot application. Asynchronous service works in a way that it will not block the client request and do the processing in separate thread. When work is complete the response returned to the client so our service will be able to handle more client requests at the same time, compare to synchronous processing model. Let's understand how it is working in synchronous mode. In such server/client application at server side it has a pool of threads which are serving the request. If a request received by a thread then it will be blocked until it send the response back to client. In this case if processing doesn't take much time it will be able to process it quickly and accept other client requests but there could be one situation when all threads are busy and not able to accept the new client requests. To overcome of such problems, asynchronous processing model introduced for REST service