GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Spring Security
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
19744 Commits
46 Branches
369 Tags
121 MiB
 
 
 
 
Branch: finalize
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'finalize'
${ noResults }
spring-security/docs/modules/ROOT/pages/servlet/authentication/kerberos/ssk.adoc

85 lines
2.5 KiB
Raw Permalink Blame History

[[springsecuritykerberos]]
= Spring and Spring Security Kerberos
:figures: servlet/authentication/kerberos
This part of the reference documentation explains the core functionality
that Spring Security Kerberos provides to any Spring based application.
<<ssk-authprovider>> describes the authentication provider support.
<<ssk-spnego>> describes the spnego negotiate support.
<<ssk-resttemplate>> describes the RestTemplate support.
[[ssk-authprovider]]
== Authentication Provider
Provider configuration using JavaConfig.
[source,java,indent=0]
----
include::example$kerberos/AuthProviderConfig.java[tags=snippetA]
----
[[ssk-spnego]]
== Spnego Negotiate
Spnego configuration using JavaConfig.
[source,java,indent=0]
----
include::example$kerberos/SpnegoConfig.java[tags=snippetA]
----
[[ssk-resttemplate]]
== Using KerberosRestTemplate
If there is a need to access Kerberos protected web resources
programmatically we have `KerberosRestTemplate` which extends
`RestTemplate` and does necessary login actions prior to delegating to
actual RestTemplate methods. You basically have few options to
configure this template.
- Leave keyTabLocation and userPrincipal empty if you want to
use cached ticket.
- Use keyTabLocation and userPrincipal if you want to use
keytab file.
- Use loginOptions if you want to customise Krb5LoginModule options.
- Use a customised httpClient.
With ticket cache.
[source,java,indent=0]
----
include::example$kerberos/KerberosRestTemplateConfig.java[tags=snippetA]
----
With keytab file.
[source,java,indent=0]
----
include::example$kerberos/KerberosRestTemplateConfig.java[tags=snippetB]
----
[[ssk-kerberosldap]]
== Authentication with LDAP Services
With most of your samples we're using `DummyUserDetailsService`
because there is not necessarily need to query a real user details
once kerberos authentication is successful and we can use kerberos
principal info to create that dummy user. However there is a way to
access kerberized LDAP services in a say way and query user details
from there.
`KerberosLdapContextSource` can be used to bind into LDAP via kerberos
which is at least proven to work well with Windows AD services.
[source,java,indent=0]
----
include::example$kerberos/KerberosLdapContextSourceConfig.java[tags=snippetA]
----
[TIP]
====
Sample xref:servlet/authentication/kerberos/samples.adoc#samples-sec-server-win-auth[Security Server Windows Auth Sample]
is currently configured to query user details from AD if authentication happen via kerberos.
====