Fork me on GitHub

Kerberos (v5.7)

pac4j allows you to login using the Keberos authentication mechanism (also known as SPNEGO or Microsoft HTTP Negotiate).

The Kerberos clients require to define an Authenticator to handle the credentials validation. Most likely all you need is to use the existing KerberosAuthenticator with a SunJaasKerberosTicketValidator which will do all the heavy-lifting of the Kerberos ticket validation.

1) Dependency

You need to use the following module: pac4j-kerberos.

Example (Maven dependency):

<dependency>
    <groupId>org.pac4j</groupId>
    <artifactId>pac4j-kerberos</artifactId>
    <version>${pac4j.version}</version>
</dependency>

2) Clients

You can use the following clients:

Behaviour wanted Client
Web Browser (Firefox/Safari/IE)
after ticket validation, it stores the user profile in the session
IndirectKerberosClient
(upon failure it sends a HTTP 401 with a WWW-Authenticate: Negotiate header asking the browser to provide the Kerberos/SPNEGO credentials)
Stateless Web service DirectKerberosClient
credentials can be provided upfront as a request’s HTTP header:
Authentication: Negotiate SomeBase64EncKerberosTicket
(if not provided, the default strategy with send a HTTP 401 with a WWW-Authenticate: Negotiate header asking the remote to provide the Kerberos/SPNEGO credentials)

Example:

import org.pac4j.kerberos.client.direct.DirectKerberosClient;
import org.pac4j.kerberos.client.indirect.IndirectKerberosClient;
import org.pac4j.kerberos.credentials.KerberosCredentials;
import org.pac4j.kerberos.credentials.authenticator.KerberosAuthenticator;
import org.pac4j.kerberos.credentials.authenticator.SunJaasKerberosTicketValidator;
import org.pac4j.kerberos.profile.KerberosProfile;
import org.springframework.core.io.FileSystemResource;

SunJaasKerberosTicketValidator validator = new SunJaasKerberosTicketValidator();
// HTTP/fully-qualified-domain-name@DOMAIN
validator.setServicePrincipal("HTTP/[email protected]");
// the keytab file must contain the keys for the service principal, and should be protected
validator.setKeyTabLocation(new FileSystemResource("/private/security/http-keytab"));
// validator.setDebug(true);

IndirectKerberosClient client = new IndirectKerberosClient(new KerberosAuthenticator(validator));
client.setCallbackUrl("/force-kerberos-login"); // required only for indirect client

3) Common caveats with Kerberos (in JVM)

Some common problems/caveats: