Login/Register
How to use embedded Jetty Server 9 with Kerberos authentication?
Asked Answered
javarestjettykerberosspnego
S

1

8

I'm trying to use Jetty embedded server to expose my Rest API and now I'd like to implement Kerberos Authentication. This is how I create SecurityHandler

    String domainRealm = "MY.COM";

    Constraint constraint = new Constraint();
    constraint.setName(Constraint.__SPNEGO_AUTH);
    constraint.setRoles(new String[]{domainRealm});
    constraint.setAuthenticate(true);

    ConstraintMapping cm = new ConstraintMapping();
    cm.setConstraint(constraint);
    cm.setPathSpec("/*");

    SpnegoLoginService loginService = new SpnegoLoginService();
    loginService.setConfig("/path/to/spnego.properties");
    loginService.setName(domainRealm);

    ConstraintSecurityHandler sh = new ConstraintSecurityHandler();
    sh.setAuthenticator(new SpnegoAuthenticator());
    sh.setLoginService(loginService);
    sh.setConstraintMappings(new ConstraintMapping[]{cm});
    sh.setRealmName(domainRealm);

This is my spnego.properties:

targetName = HTTP/target.name.com

My krb5.ini:

[libdefaults]
default_realm = HW.COM
default_keytab_name = FILE:/path/to/target.name.com.keytab
permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 
default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 
default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 

[realms]
MY.COM= {
    kdc = 12.13.14.222 #IP adress
    admin_server = 12.13.14.222 # IP ADDRESS
    default_domain = MY.COM
}

[domain_realm]
my.com= MY.COM
.my.com = MY.COM

[appdefaults]
autologin = true
forwardable = true

My spnego.conf:

com.sun.security.jgss.initiate {
     com.sun.security.auth.module.Krb5LoginModule required
     principal="HTTP/[email protected]" 
     keyTab="/path/to/target.name.com.keytab" 
     useKeyTab=true
     storeKey=true 
     debug=true 
     isInitiator=false;
};

com.sun.security.jgss.accept {
     com.sun.security.auth.module.Krb5LoginModule required
     principal="HTTP/[email protected]" 
     useKeyTab=true
     keyTab="/path/to/target.name.com.keytab" 
     storeKey=true 
     debug=true 
     isInitiator=false;
};

System properties are set:

    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
    System.setProperty("java.security.auth.login.config", "/path/to/spnego.conf");
    System.setProperty("java.security.krb5.conf", "/path/to/krb5.ini");

Unfortunately authentication does not work. I'm trying to debug SpnegoLoginService.login method and login fails because of

GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

Do you have idea how to setup embedded Jetty server to work correctly with Kerberos authentication?

Thanks

Sustain answered 11/12, 2014 at 16:24 Comment(1)
Hello, Could you please let me know if you needed to add your server in the AD domain for this or not? thanks. :DHortensiahorter
S
6

The problem was in wrong keytab file

Sustain answered 17/12, 2014 at 19:28 Comment(1)
can you elaborate please? perhaps an example how to correctly generate the keytab for the serviceBlubberhead

© 2022 - 2024 — McMap. All rights reserved.