Simple Kerberos client in Java?

Question

Applications such a Google\'s Chrome and IE can transparently handle Kerberos authentication; however I can not find a \"simple\" Java solution to match this transparency. A

Answer 1

Here's a good blog post on having a java client to use with Kerberos http://sachithdhanushka.blogspot.com/2014/02/kerberos-java-client-configuration.html

Answer 2

You don't actually need to do anything. In Java 6, on a Windows client machine you can do this:

new URL("http://myhost/myapp").openStream();

And negotiate authentication just works. At least it does for me. And the server I tested on only supports Negotiate, not NTLM auth.

Answer 3

Adding to David Roussels answer on url specific http based kerberos authentication:-

The reason why your code works is because your target SPN(server side principal) is configured to with HTTP/serverhostname.realm.com@DOMAIN.COM. In that case it will work because you are not explicitly setting the token. URLConnection internally sets a token with that SPN

1 Perform steps(from my previous answer) to get a subject

2 Use gss api init sec context to generate a context token. There are numerous tutorials out there for this step

3 Base 64 encode the token

4 Attach the token to urlconnection:-

URL url = new URL("http://myhost/myapp")
HttpURLConnection urlConn = (HttpURLConnection)url.openConnection(); = 
urlConn.setRequestProperty("Authorization", "Negotiate " + encodedToken);

5 Implement a priviledged action:-

//this internally calls the getInputStream
public class PrivilegedGetInputStream implements PrivilegedExceptionAction<InputStream>

6 Wrap the whole thing in Subject.doAs

//use prev answer instructions to get subject
Subject.doAs(subject, new PrivilegedGetInputStream(urlConnection)