/*
* ====================================================================
*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
*
Information
*For the best compatibility use Java >= 1.6 as it supports SPNEGO authentication more completely.
*NegotiateSchemeFactory kas two custom methods
*#setStripPort(boolean) - default is false, with strip the port off the Kerberos * service name if true. Found useful with JBoss Negotiation. Can be used with Java >= 1.5
*#setSpengoGenerator(SpnegoTokenGenerator) - default is null, class to use to wrap * kerberos token. An example is in contrib - org.apache.http.contrib.auth.BouncySpnegoTokenGenerator. * Requires use of bouncy castle libs. * Useful with Java 1.5. *
*Addtional Config Files
*Two files control how Java uses/configures Kerberos. Very basic examples are below. There * is a large amount of information on the web.
*krb5.conf
** [libdefaults] * default_realm = AD.EXAMPLE.NET * udp_preference_limit = 1 * [realms] * AD.EXAMPLE.NET = { * kdc = AD.EXAMPLE.NET * } * DEV.EXAMPLE.NET = { * kdc = DEV.EXAMPLE.NET * } * [domain_realms] * .ad.example.net = AD.EXAMPLE.NET * ad.example.net = AD.EXAMPLE.NET * .dev.example.net = DEV.EXAMPLE.NET * dev.example.net = DEV.EXAMPLE.NET * gb.dev.example.net = DEV.EXAMPLE.NET * .gb.dev.example.net = DEV.EXAMPLE.NET ** login.conf *
*com.sun.security.jgss.login { * com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true debug=true; *}; * *com.sun.security.jgss.initiate { * com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true debug=true; *}; * *com.sun.security.jgss.accept { * com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true debug=true; *}; **
Windows specific configuration
** The registry key allowtgtsessionkey should be added, and set correctly, to allow * session keys to be sent in the Kerberos Ticket-Granting Ticket. *
** On the Windows Server 2003 and Windows 2000 SP4, here is the required registry setting: *
** HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters * Value Name: allowtgtsessionkey * Value Type: REG_DWORD * Value: 0x01 **
* Here is the location of the registry setting on Windows XP SP2: *
** HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\ * Value Name: allowtgtsessionkey * Value Type: REG_DWORD * Value: 0x01 ** * @since 4.1 */ public class ClientKerberosAuthentication { public static void main(String[] args) throws Exception { System.setProperty("java.security.auth.login.config", "login.conf"); System.setProperty("java.security.krb5.conf", "krb5.conf"); System.setProperty("sun.security.krb5.debug", "true"); System.setProperty("javax.security.auth.useSubjectCredsOnly","false"); DefaultHttpClient httpclient = new DefaultHttpClient(); try { httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, new SPNegoSchemeFactory()); Credentials use_jaas_creds = new Credentials() { public String getPassword() { return null; } public Principal getUserPrincipal() { return null; } }; httpclient.getCredentialsProvider().setCredentials( new AuthScope(null, -1, null), use_jaas_creds); HttpUriRequest request = new HttpGet("http://kerberoshost/"); HttpResponse response = httpclient.execute(request); HttpEntity entity = response.getEntity(); System.out.println("----------------------------------------"); System.out.println(response.getStatusLine()); System.out.println("----------------------------------------"); if (entity != null) { System.out.println(EntityUtils.toString(entity)); } System.out.println("----------------------------------------"); // This ensures the connection gets released back to the manager EntityUtils.consume(entity); } finally { // When HttpClient instance is no longer needed, // shut down the connection manager to ensure // immediate deallocation of all system resources httpclient.getConnectionManager().shutdown(); } } }