/*
* ====================================================================
*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
*
Information
*For the best compatibility use Java >= 1.6 as it supports SPNEGO authentication more completely.
*NegotiateSchemeFactory
*Has three custom methods
*setStripPort(boolean) - default is false, with strip the port off the Kerberos * service name if true. Found useful with JbossNegotiation. Java >= 1.5
* *Below are for Java 1.5.
* *setSpnegoCreate(boolean) - defaults to false, try to create an SPNEGO token via * the token set in setSpengoGenerator. TODO - merge logic so just setSpengoGenerator
* *setSpengoGenerator(new SpnegoTokenGenerator()) - default is null, class to use to wrap * kerberos token. An example is in contrib - org.apache.http.contrib.auth.BouncySpnegoTokenGenerator. * Requires use of bouncy castle libs *
* *Addtional Config Files
*Two files control how Java uses/configures Kerberos. Very basic examples are below. There * is a large amount of information on the web.
*krb5.conf
** [libdefaults] * default_realm = AD.EXAMPLE.NET * udp_preference_limit = 1 * [realms] * AD.EXAMPLE.NET = { * kdc = AD.EXAMPLE.NET * } * DEV.EXAMPLE.NET = { * kdc = DEV.EXAMPLE.NET * } * [domain_realms] * .ad.example.net = AD.EXAMPLE.NET * ad.example.net = AD.EXAMPLE.NET * .dev.example.net = DEV.EXAMPLE.NET * dev.example.net = DEV.EXAMPLE.NET * gb.dev.example.net = DEV.EXAMPLE.NET * .gb.dev.example.net = DEV.EXAMPLE.NET ** login.conf *
*com.sun.security.jgss.login { * com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true debug=true; *}; * *com.sun.security.jgss.initiate { * com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true debug=true; *}; * *com.sun.security.jgss.accept { * com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true debug=true; *}; **
Windows specific configuration
** The registry key allowtgtsessionkey should be added, and set correctly, to allow * session keys to be sent in the Kerberos Ticket-Granting Ticket. *
** On the Windows Server 2003 and Windows 2000 SP4, here is the required registry setting: *
** HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters * Value Name: allowtgtsessionkey * Value Type: REG_DWORD * Value: 0x01 **
* Here is the location of the registry setting on Windows XP SP2: *
** HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\ * Value Name: allowtgtsessionkey * Value Type: REG_DWORD * Value: 0x01 ** * @since 4.1 */ public class ClientKerberosAuthentication { public static void main(String[] args) throws Exception { System.setProperty("java.security.auth.login.config", "login.conf"); System.setProperty("java.security.krb5.conf", "krb5.conf"); System.setProperty("sun.security.krb5.debug", "true"); System.setProperty("javax.security.auth.useSubjectCredsOnly","false"); DefaultHttpClient httpclient = new DefaultHttpClient(); /* * NegotiateSchemeFactory creates the NegotiateScheme instance to be use for each request * if using Java 5/6 and IIS7 you can just use the defaults. * JbossNegotiate use setStripPort(true), or add service names with ports to kerberos DB. * JbossNegotiate needs Java 6 or a SpengoGenerator. */ NegotiateSchemeFactory nsf = new NegotiateSchemeFactory(); // nsf.setStripPort(false); // nsf.setSpnegoCreate(true); // nsf.setSpengoGenerator(new BouncySpnegoTokenGenerator()); httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, nsf); Credentials use_jaas_creds = new Credentials() { public String getPassword() { return null; } public Principal getUserPrincipal() { return null; } }; httpclient.getCredentialsProvider().setCredentials( new AuthScope(null, -1, null), use_jaas_creds); HttpUriRequest request = new HttpGet("http://kerberoshost/"); HttpResponse response = httpclient.execute(request); HttpEntity entity = response.getEntity(); System.out.println("----------------------------------------"); System.out.println(response.getStatusLine()); System.out.println("----------------------------------------"); if (entity != null) { System.out.println(EntityUtils.toString(entity)); } System.out.println("----------------------------------------"); // This ensures the connection gets released back to the manager if (entity != null) { entity.consumeContent(); } // When HttpClient instance is no longer needed, // shut down the connection manager to ensure // immediate deallocation of all system resources httpclient.getConnectionManager().shutdown(); } }