Skip to main content

Integrated/Kerberos authentication using Spring boot and SPNEGO API

In this tutorial we will learn how to use Spring boot and SPNEGO API to implement the kerberos or integrated authentication. Kerberos is developed by Massachusetts Institute of Technology (MIT) which is used to authenticate between trusted services using KDC tickets. For example email client, HR portal or employee portal in a corporate network where employee doesn't need to provide their user id & password to access these application in the same domain. Once they are logged in to their machine, they can access such services/application with kerberos authentication.
I am using MAC OS X to demonstrate the kerberos authentication. I have used the same machine to configure and run the application backed with kerberos authentication and my KDC database & application reside on the same machine.

Setting up kerberos 

First of all we need to setup kerberos where we will configure the database, create user principals, create policies and keytabs. We need to create our application user and application domain which are used by application to retrieve the authenticated user details from trusted KDC. Please refer below link on how to configure Kerberos on MAC OS X for complete details and here we will focus on our application which will use kerberos authentication but first of all we need to configure the kerberos.
Setting up Kerberos in Mac OS X

Spring boot application using SPNEGO API

We will create a web application using Spring boot and use SPNEGO API for integrated/ kerberos authentication. Below is the project structure.
kerberos project

Maven dependencies

Spring security and kerberos related dependencies:
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.security.kerberos</groupId>
            <artifactId>spring-security-kerberos-web</artifactId>
            <version>1.0.1.RELEASE</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.security.kerberos</groupId>
            <artifactId>spring-security-kerberos-core</artifactId>
            <version>1.0.1.RELEASE</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.security.kerberos</groupId>
            <artifactId>spring-security-kerberos-client</artifactId>
            <version>1.0.1.RELEASE</version>
        </dependency>
Spring boot web dependencies:
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.apache.tomcat.embed</groupId>
            <artifactId>tomcat-embed-jasper</artifactId>
            <scope>provided</scope>
        </dependency>

        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>jstl</artifactId>
            <scope>provided</scope>
        </dependency>

Application properties (application.yml)

Below is the complete code of properties file. Here we need to configure two things for kerberos, one is user principal and another is keytab file location. Here "myserver.localhost" is our application domain.
server:
    port: 8080
app:
    service-principal: HTTP/myserver.localhost@MYSERVER.LOCALHOST
    keytab-location: file:/Users/macuser/krb5/conf/krb5.keytab

logging.level.org.springframework.security: TRACE

spring.mvc.view.prefix: /WEB-INF/pages/
spring.mvc.view.suffix: .html

server.servlet-path: /

KerberosAuthTutorialApplication.java (Main class)

@SpringBootApplication
@EnableWebMvc
public class KerberosAuthTutorialApplication extends SpringBootServletInitializer{

 @Override
 protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
  return application.sources(KerberosAuthTutorialApplication.class);
 }

 public static void main(String[] args) {
  SpringApplication.run(KerberosAuthTutorialApplication.class, args);
 }
}

WebSecurityConfig.java (Security configurations)

Class and properties declaration:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Value("${app.service-principal}")
    private String servicePrincipal;

    @Value("${app.keytab-location}")
    private String keytabLocation;
Defining View resolver:
    @Bean
    public ViewResolver getViewResolver() {
        InternalResourceViewResolver resolver = new InternalResourceViewResolver();
        resolver.setPrefix("/WEB-INF/pages/");
        resolver.setSuffix(".jsp");
        return resolver;
    }
Spring security configuration:
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .addFilterBefore(
                        spnegoAuthenticationProcessingFilter(authenticationManagerBean()),
                        BasicAuthenticationFilter.class)

                .exceptionHandling()
                    .authenticationEntryPoint(spnegoEntryPoint())
                    .and()
                .authorizeRequests()
                    .antMatchers("/", "/home").permitAll()
                    .anyRequest().authenticated()
                    .and()
                .formLogin()
                    .loginPage("/auth/login").permitAll()
                    .and()
                .logout()
                    .permitAll();
    }
SPNEGO and kerberos security bean configurations:
    @Bean
    public SpnegoEntryPoint spnegoEntryPoint() {
        return new SpnegoEntryPoint("/auth/login");

    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(kerberosAuthenticationProvider())
            .authenticationProvider(kerberosServiceAuthenticationProvider())
            .userDetailsService(kerbUserDetailsService());
    }

    @Bean
    public KerberosAuthenticationProvider kerberosAuthenticationProvider() {
        KerberosAuthenticationProvider provider = new KerberosAuthenticationProvider();
        SunJaasKerberosClient client = new SunJaasKerberosClient();
        client.setDebug(true);
        provider.setKerberosClient(client);
        provider.setUserDetailsService(kerbUserDetailsService());
        return provider;
    }

    @Bean
    public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
            AuthenticationManager authenticationManager) {
        SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
        filter.setAuthenticationManager(authenticationManager);

        return filter;
    }

    @Bean
    public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider()throws MalformedURLException {
        KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
        provider.setTicketValidator(sunJaasKerberosTicketValidator());
        provider.setUserDetailsService(kerbUserDetailsService());
        return provider;
    }

    @Bean
    public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator()throws MalformedURLException {
        SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
        ticketValidator.setServicePrincipal(servicePrincipal);
        ticketValidator.setKeyTabLocation(new UrlResource(keytabLocation));
        ticketValidator.setDebug(true);
        return ticketValidator;
    }

    @Bean
    public UserDetailsService kerbUserDetailsService() {
        return (username)->{
                return new User(username, "notUsed", true, true,
                        true, true, AuthorityUtils.createAuthorityList("ROLE_USER"));
        };
    }
}

SampleRestController.java (REST service)

@RestController
@RequestMapping("/rest")
public class SampleRestController {
    @GetMapping("/hello")
    public String sayHello(HttpServletRequest req){
        System.out.println("User: "+req.getRemoteUser());
        return "Hello, you are welcome!!!";
    }
}

SpringController.java (Login page endpoint configuration)

@Controller
@RequestMapping("/auth")
public class SpringController {
    @RequestMapping("/login")
    public String login(){
        return "loginpage";
    }
}

loginpage.jsp (Spring login page UI)

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"
      xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
    <head>
        <title>Spring Security Kerberos Example</title>
    </head>
    <body style="text-align:center">
        <form action="/login" method="post">
            <div><label> User Name : <input type="text" name="username"/> </label></div>
            <div><label> Password: <input type="password" name="password"/> </label></div>
            <div><input type="submit" value="Sign In"/></div>
        </form>
    </body>
</html>

Running application

Now in your project root execute below maven command to run the application.
spring-boot:run
Once application is started, you can see below statement in console or log.
2019-12-30 21:11:31.641 DEBUG 6716 --- [           main] w.a.SpnegoAuthenticationProcessingFilter : Filter 'spnegoAuthenticationProcessingFilter' configured for use
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /Users/macuser/krb5/conf/krb5.keytab refreshKrb5Config is false principal is HTTP/myserver.localhost@MYSERVER.LOCALHOST tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is HTTP/myserver.localhost@MYSERVER.LOCALHOST
Will use keytab
Commit Succeeded 
Now open Safari browser in your Mac machine and open URL http://myserver.localhost:8080/rest/hello. You will see below output in browser without providing any credentials to it.
kerberos output
In logs or console, your will see similar output as given below where it prints the logged in user.
User: macuser@MYSERVER.LOCALHOST

GIT Source code

Complete source code is available at below GIT hub URL.
https://github.com/thetechnojournals/spring-tutorials/tree/master/KerberosAuthTutorial

Comments

  1. I couldn't able to make it work. Always prompting login screen. Below is the log entry.
    2021-04-19 06:19:55.000 DEBUG 1601 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /rest/hello at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
    2021-04-19 06:19:55.000 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@21cb9a2d: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1de6: RemoteIpAddress: 192.168.1.2; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
    2021-04-19 06:19:55.001 DEBUG 1601 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /rest/hello at position 11 of 13 in additional filter chain; firing Filter: 'SessionManagementFilter'
    2021-04-19 06:19:55.001 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.session.SessionManagementFilter : Requested session ID 6F99288950CD0B6104A69A374FCA6116 is invalid.
    2021-04-19 06:19:55.001 DEBUG 1601 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /rest/hello at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
    2021-04-19 06:19:55.001 DEBUG 1601 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /rest/hello at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
    2021-04-19 06:19:55.001 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /rest/hello' doesn't match 'POST /logout'
    2021-04-19 06:19:55.002 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/rest/hello'; against '/'
    2021-04-19 06:19:55.002 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/rest/hello'; against '/home'
    2021-04-19 06:19:55.002 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /rest/hello; Attributes: [authenticated]
    2021-04-19 06:19:55.002 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@21cb9a2d: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1de6: RemoteIpAddress: 192.168.1.2; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
    2021-04-19 06:19:55.052 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@6d3f9317, returned: -1
    2021-04-19 06:19:55.056 DEBUG 1601 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point

    ReplyDelete
    Replies
    1. you can use the command as "curl --negoctiate -u : http://myserver.localhost:8080/rest/hello" then It will work as well

      Delete
    2. If you use Chrome then please open chrome with parameter: —auth-server-whitelist=“*tchlabs.net”

      Delete
  2. Hi Rajiv,

    I get the exact same issue using the KerberosRestTemplate, but when I use curl with --negotiate it works well. still trying to find the reason for this, let me know if you were able to solve the above error

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Hi, I do like guideline, I go to http://myserver.localhost:8080/rest/hello and I always get errors as: Access is denied (user is anonymous); redirecting to authentication entry point.
    Who know the solution to solve this issue please let me know
    Thanks so much for your help

    ReplyDelete
  5. Advanced Topics in Web Designing at APTRON offer a comprehensive exploration of the ever-evolving field of web development. A solid grasp of advanced web design techniques is essential in today's digital landscape.

    ReplyDelete

Post a Comment

Popular Posts

Setting up kerberos in Mac OS X

Kerberos in MAC OS X Kerberos authentication allows the computers in same domain network to authenticate certain services with prompting the user for credentials. MAC OS X comes with Heimdal Kerberos which is an alternate implementation of the kerberos and uses LDAP as identity management database. Here we are going to learn how to setup a kerberos on MAC OS X which we will configure latter in our application. Installing Kerberos In MAC we can use Homebrew for installing any software package. Homebrew makes it very easy to install the kerberos by just executing a simple command as given below. brew install krb5 Once installation is complete, we need to set the below export commands in user's profile which will make the kerberos utility commands and compiler available to execute from anywhere. Open user's bash profile: vi ~/.bash_profile Add below lines: export PATH=/usr/local/opt/krb5/bin:$PATH export PATH=/usr/local/opt/krb5/sbin:$PATH export LDFLAGS=&

SpringBoot - @ConditionalOnProperty example for conditional bean initialization

@ConditionalOnProperty annotation is used to check if specified property available in the environment or it matches some specific value so it can control the execution of some part of code like bean creation. It may be useful in many cases for example enable/disable service if specific property is available. Below are the attributes which can be used for property check. havingValue - Provide the value which need to check against specified property otherwise it will check that value should not be false. matchIfMissing - If true it will match the condition and execute the annotated code when property itself is not available in environment. name - Name of the property to be tested. If you want to test single property then you can directly put the property name as string like "property.name" and if you have multiple properties to test then you can put the names like {"prop.name1","prop.name2"} prefix - It can be use when you want to apply some prefix to

Multiple data source with Spring boot, batch and cloud task

Here we will see how we can configure different datasource for application and batch. By default, Spring batch stores the job details and execution details in database. If separate data source is not configured for spring batch then it will use the available data source in your application if configured and create batch related tables there. Which may be the unwanted burden on application database and we would like to configure separate database for spring batch. To overcome this situation we will configure the different datasource for spring batch using in-memory database, since we don't want to store batch job details permanently. Other thing is the configuration of  spring cloud task in case of multiple datasource and it must point to the same data source which is pointed by spring batch. In below sections, we will se how to configure application, batch and cloud task related data sources. Application Data Source Define the data source in application properties or yml con

Entity to DTO conversion in Java using Jackson

It's very common to have the DTO class for a given entity in any application. When persisting data, we use entity objects and when we need to provide the data to end user/application we use DTO class. Due to this we may need to have similar properties on DTO class as we have in our Entity class and to share the data we populate DTO objects using entity objects. To do this we may need to call getter on entity and then setter on DTO for the same data which increases number of code line. Also if number of DTOs are high then we need to write lot of code to just get and set the values or vice-versa. To overcome this problem we are going to use Jackson API and will see how to do it with minimal code only. Maven dependency <dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> <version>2.9.9</version> </dependency> Entity class Below is