Industry standard library for working with Kerberos/SPNEGO authentication in Java in 2023+.
Main features:
- Getting group membership information from Kerberos token - no need to query LDAP
- Proper caching of tickets - make just one request to domain controller and cache the ticket on both client and server sides
- Flexible SPN resolution - you own the code and do not have to rely on magic SPN calculation algorithms
Version 0.2.x+ requires Java 17 or higher Version 0.1.x+ supports Java 7+
Kerb4J is available from Maven Central repo:
Client
<dependency>
<groupId>com.kerb4j</groupId>
<artifactId>kerb4j-client</artifactId>
<version>0.2.0</version>
</dependency>
Spring Security
<dependency>
<groupId>com.kerb4j</groupId>
<artifactId>kerb4j-server-spring-security</artifactId>
<version>0.2.0</version>
</dependency>
Tomcat
<dependency>
<groupId>com.kerb4j</groupId>
<artifactId>kerb4j-server-tomcat</artifactId>
<version>0.2.0</version>
</dependency>
Kerb4J provides efficient way to create Kerberos/SPNEGO HTTP Clients. Main two classes you'll need are SpnegoClient
and SpnegoContext
SpnegoClient
provides API for authenticating client in KDC (e.g. in Active Directory Domain Controller).SpnegoContext
is responsible for accessing downstream systems, creating and validating appropriate security HTTP headers.
SpnegoClient
supports authentication using name and password, keytab file or ticket cache.
Example usage:
SpnegoClient spnegoClient = SpnegoClient.loginWithKeyTab("svc_consumer", "/opt/myapp/consumer.keytab");
SpnegoContext
allows creating 'Authorization: Negotiate XXXXX' header and optionally validating WWW-Authenticate
response header for SPNEGO mutual authentication
Example usage:
URL url = new URL("http://api.provider.acme.com/api/operation1");
SpnegoContext context = spnegoClient.createContext("http://provider.acme.com"); // Will result in HTTP/provider.acme.com SPN
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestProperty("Authorization", context.createTokenAsAuthroizationHeader());
SPN resolution
Kerb4J allows you to specify SPN for the downstream system manually without doing any reverse DNS lookups,
canonicalizations, e.t.c. You can even use SPN HTTP/foo
for calling service bar
Caching tickets
Consider you want to make a million of HTTP requests to Kerberos-protected server. Kerb4J will allow you to make just two requests to the KDC (e.g. in Active Directory Domain Controller).
One SpnegoClient
is created, Kerb4J will make first request for TGT (authentication). TGT will be cached and renewed
only when tickets expired. Reuse the SpnegoClient
instance for all requests you want to make using the same
credentials.
When you create first SpnegoContext
instance for the given SPN, Kerb4J will make another request for a service ticket.
This service ticket will be reused when creating new SpnegoContext
instances from the same SpnegoClient
.
So the rule of thumb - reuse the same SpnegoClient
instance (it is threadsafe by the way), create new SpnegoContext
instance for each request.
Validating Kerberos/SPNEGO tickets on server side is even simpler than client side.
Use SpnegoClient
and authenticate in KDC (e.g. in Active Directory Domain Controller) using your server account.
Call spnegoClient.createAcceptContext()
method to create a SpnegoContext
instance responsible for authenticating
your client. Pass decoded SPNEGO token (Base64 decoded value of token in 'Authorization: Negotiate' header)
to spnegoContext.acceptToken
method to validate it.
If you only plan to validate client tokens on your server and do not use credentials delegation or reusing the same SpnegoClient
for accessing other servers, you can create "offline" SpengoClient
by passing acceptOnly = true
parameter to SpengoClient.loginWithKeyTab
factory method.
Please note that it works with keytab
secrets only.
Kerb4J comes with an Authenticator for Apache Tomcat (kerb4j-server-tomcat artifact) as well as authentication provider for Spring Security (See kerb4j-server-spring-security)
Extracting groups from Kerberos ticket generated by Active Directory
Spnego allows you to extract user groups from SPNEGO token (one sent from client to server) without making any additional requests to Active Directory.
String negotiateHeaderValue = request.getHeader("Authorization").substring(10);
byte[] decoded = Base64.decodeBase64(negotiateHeaderValue);
SpnegoInitToken spnegoInitToken = new SpnegoInitToken(decoded);
SpnegoKerberosMechToken spnegoKerberosMechToken = spnegoInitToken.getSpnegoKerberosMechToken();
Pac pac = spnegoKerberosMechToken.getPac(spnegoClient.getKerberosKeys());
PacLogonInfo logonInfo = pac.getLogonInfo();
List<String> roles = Stream.of(logonInfo.getGroupSids()).map(PacSid::toHumanReadableString).collect(Collectors.toList());
This functionality is specific to Microsoft Active Directory and supported both by Kerb4J Tomcat and Spring Security integrations.