How to use embedded Jetty Server 9 with Kerberos authentication?

Question

I'm trying to use Jetty embedded server to expose my Rest API and now I'd like to implement Kerberos Authentication. This is how I create SecurityHandler

    String domainRealm = "MY.COM";

    Constraint constraint = new Constraint();
    constraint.setName(Constraint.__SPNEGO_AUTH);
    constraint.setRoles(new String[]{domainRealm});
    constraint.setAuthenticate(true);

    ConstraintMapping cm = new ConstraintMapping();
    cm.setConstraint(constraint);
    cm.setPathSpec("/*");

    SpnegoLoginService loginService = new SpnegoLoginService();
    loginService.setConfig("/path/to/spnego.properties");
    loginService.setName(domainRealm);

    ConstraintSecurityHandler sh = new ConstraintSecurityHandler();
    sh.setAuthenticator(new SpnegoAuthenticator());
    sh.setLoginService(loginService);
    sh.setConstraintMappings(new ConstraintMapping[]{cm});
    sh.setRealmName(domainRealm);

This is my spnego.properties:

targetName = HTTP/target.name.com

My krb5.ini:

[libdefaults]
default_realm = HW.COM
default_keytab_name = FILE:/path/to/target.name.com.keytab
permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 
default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 
default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 

[realms]
MY.COM= {
    kdc = 12.13.14.222 #IP adress
    admin_server = 12.13.14.222 # IP ADDRESS
    default_domain = MY.COM
}

[domain_realm]
my.com= MY.COM
.my.com = MY.COM

[appdefaults]
autologin = true
forwardable = true

My spnego.conf:

com.sun.security.jgss.initiate {
     com.sun.security.auth.module.Krb5LoginModule required
     principal="HTTP/target.name.com@MY.COM" 
     keyTab="/path/to/target.name.com.keytab" 
     useKeyTab=true
     storeKey=true 
     debug=true 
     isInitiator=false;
};

com.sun.security.jgss.accept {
     com.sun.security.auth.module.Krb5LoginModule required
     principal="HTTP/target.name.com@MY.COM" 
     useKeyTab=true
     keyTab="/path/to/target.name.com.keytab" 
     storeKey=true 
     debug=true 
     isInitiator=false;
};

System properties are set:

    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
    System.setProperty("java.security.auth.login.config", "/path/to/spnego.conf");
    System.setProperty("java.security.krb5.conf", "/path/to/krb5.ini");

Unfortunately authentication does not work. I'm trying to debug SpnegoLoginService.login method and login fails because of

GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

Do you have idea how to setup embedded Jetty server to work correctly with Kerberos authentication?

Thanks

Hello, Could you please let me know if you needed to add your server in the AD domain for this or not? thanks. :D — Arka Mallick, Jul 02 '19 at 12:41

score 6 · Answer 1 · answered Dec 17 '14 at 19:28

6

The problem was in wrong keytab file

answered Dec 17 '14 at 19:28

Jan

410
1
7
15

can you elaborate please? perhaps an example how to correctly generate the keytab for the service – Honza Dec 05 '18 at 13:37

How to use embedded Jetty Server 9 with Kerberos authentication?

1 Answers1