Simple Kerberos client in Java?

Question

Applications such a Google\'s Chrome and IE can transparently handle Kerberos authentication; however I can not find a \"simple\" Java solution to match this transparency. A

Answer 1

Use WAFFLE

Answer 2

There is now a simple solution for this using the Apache HTTP Components Client 4.5 or greater. This is still marked as experimental in 4.5 so your milage may vary, but this is working fine for me in an enterprise context.

In addition to the HC 4.5 client jars you will need to have the httpclient-win, jna and jna-platform jars on your classpath, as provided with http-component-client. You then construct a Kerberos enabled HC-client as follows:

CloseableHttpClient httpclient = WinHttpClients.createDefault();

Or using the builder:

HttpClientBuilder clientBuilder = WinHttpClients.custom();

Which can then be customised as required before building the client:

CloseableHttpClient client = clientBuilder.build();

This solution works without any external configuration, and most importantly solves the issue where the in-built JRE mechanism breaks for users with local Admin rights on Windows 7+. This is possible because the Kerberos ticket is being retrieved directly from the SSPI API via JNA, rather than going through the GSSAPI provided by the JRE.

Example code from the http-components team

This was all made possible by the good work of Daniel Doubrovkine Timothy Wall and Ryan McKinley

Answer 3

I created a small tool to simplify connecting with httpclient to kerberos, you might want to give it a try. https://github.com/DovAmir/httpclientAuthHelper

DefaultHttpClient httpclient = new DefaultHttpClient();
AuthUtils.securityLogging(SecurityLogType.KERBEROS,true);
CredentialsUtils.setKerberosCredentials(client, new UsernamePasswordCredentials("xxx", "xxx"), "domain", "kdc");
client.executeMethod(httpget);

Answer 4

Ok if you want to avoid using a login.conf file you need to code differently:-

//define your own configuration
import javax.security.auth.login.Configuration;
public class CustomLoginConfiguration extends Configuration

//pass certain parameters to its constructor
//define an config entry
import javax.security.auth.login.AppConfigurationEntry;
private AppConfigurationEntry configEntry;

//define a map of params you wish to pass and fill them up
//the map contains entries similar to one you have in login.conf
Map<String, String> params = new HashMap<String, String>();

//define the configuration
configEntry = new AppConfigurationEntry(
            "com.sun.security.auth.module.Krb5LoginModule",
            AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, params);

//implement getappconfig method
public AppConfigurationEntry[] getAppConfigurationEntry() {
    return new AppConfigurationEntry[] { configEntry };
}

Now once you are done with this definition you can use this in you use this to fetch tickets from kdc

//get ticket in login context
LoginContext lc = null;
    lc = new LoginContext("lc", null, callback, new CustomLoginConfiguration(argumentlist));
    lc.login();

Now from here on you can fetch jaas subject and can basically do a ton of authentication stuff.

In case you need further pointers just leave a comment.

Answer 5

You can use system properties instead of config files to specify the KDC hostname and service name, but those things (at least) are mandatory....

Waffle will actually give you the information you need to set most of the properties, even if it won't get you a ticket. Look at the WindowsAuthProviderImpl class (the Waffle.chm help file shows the API).

I use JAAS do obtain a service ticket from Active Directory in two steps:

1. Use Krb5LoginModule to retrieve the cached TGT and add it to the Subject.

2. Use the Subject and GSS-API to retrieve a service ticket from the KDC.

There's a lot of good information and example code at The Java Way of Active Directory.

Answer 6

Oracle has an example using Java's SaslClient. I'm not a Java programmer, but when I pointed this out once to someone who is, they were able to make it work pretty quickly. It may still require a "conf" file somewhere (n.b. Kerberos uses environment variables, often starting with KRB5_, to know where to look for such files). Also note that Kerberos itself does not include a transport of any kind--your app needs to know how to send and receive the Kerberos payloads the way the server expects (and this is different depending on the server you are trying to authenticate with).

Edit: you edited your question, so here's a link related to SPNEGO in Java which might be of some use: http://download.oracle.com/javase/6/docs/technotes/guides/security/jgss/lab/part5.html