All geek questions in one place

How to use embedded Jetty Server 9 with Kerberos authentication?

I am trying to use the built-in Jetty server to open my Rest API, and now I would like to implement Kerberos Authentication. This is how I create SecurityHandler

String domainRealm = "MY.COM"; Constraint constraint = new Constraint(); constraint.setName(Constraint.__SPNEGO_AUTH); constraint.setRoles(new String[]{domainRealm}); constraint.setAuthenticate(true); ConstraintMapping cm = new ConstraintMapping(); cm.setConstraint(constraint); cm.setPathSpec("/*"); SpnegoLoginService loginService = new SpnegoLoginService(); loginService.setConfig("/path/to/spnego.properties"); loginService.setName(domainRealm); ConstraintSecurityHandler sh = new ConstraintSecurityHandler(); sh.setAuthenticator(new SpnegoAuthenticator()); sh.setLoginService(loginService); sh.setConstraintMappings(new ConstraintMapping[]{cm}); sh.setRealmName(domainRealm);

These are my spnego.properties:

 targetName = HTTP/target.name.com

My krb5.ini:

 [libdefaults] default_realm = HW.COM default_keytab_name = FILE:/path/to/target.name.com.keytab permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 [realms] MY.COM= { kdc = 12.13.14.222 #IP adress admin_server = 12.13.14.222 # IP ADDRESS default_domain = MY.COM } [domain_realm] my.com= MY.COM .my.com = MY.COM [appdefaults] autologin = true forwardable = true

My spnego.conf:

 com.sun.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/ target.name.com@MY.COM " keyTab="/path/to/target.name.com.keytab" useKeyTab=true storeKey=true debug=true isInitiator=false; }; com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/ target.name.com@MY.COM " useKeyTab=true keyTab="/path/to/target.name.com.keytab" storeKey=true debug=true isInitiator=false; };

System properties set:

  System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); System.setProperty("java.security.auth.login.config", "/path/to/spnego.conf"); System.setProperty("java.security.krb5.conf", "/path/to/krb5.ini");

Unfortunately authentication does not work. I am trying to debug the SpnegoLoginService.login method and login fails due

 GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

Do you have an idea how to configure the embedded Jetty server to work correctly with Kerberos authentication?

thanks

+5
source share
1 answer

The problem was the wrong keytab file

+4
source

Source: https://habr.com/ru/post/1208829/

More articles:


All Articles