Sākums Izpētīt Palīdzība
Reģistrēties Pierakstīties
github
/
spring-security
spogulis no https://github.com/spring-projects/spring-security
2
0
Atdalīts 0
Faili Problēmas 0 Vikivietne
Koks: f5fb127c8c
Atzari Tagi
spring-security
/
docs
/
modules
/
ROOT
/
pages
/
servlet
/
authentication
/
kerberos
/
ssk.adoc

ssk.adoc 2.5 KB
Vēsture Neapstrādāts

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485 
  1. [[springsecuritykerberos]]
    2. 

  2. = Spring and Spring Security Kerberos
    3. 

  3. :figures: servlet/authentication/kerberos
    4. 

  4. 

  5. This part of the reference documentation explains the core functionality
    6. 

  6. that Spring Security Kerberos provides to any Spring based application.
    7. 

  7. 

  8. <<ssk-authprovider>> describes the authentication provider support.
    9. 

  9. 

  10. <<ssk-spnego>> describes the spnego negotiate support.
    11. 

  11. 

  12. <<ssk-resttemplate>> describes the RestTemplate support.
    13. 

  13. 

  14. 

  15. [[ssk-authprovider]]
    16. 

  16. == Authentication Provider
    17. 

  17. 

  18. Provider configuration using JavaConfig.
    19. 

  19. 

  20. [source,java,indent=0]
    21. 

  21. ----
    22. 

  22. include::example$kerberos/AuthProviderConfig.java[tags=snippetA]
    23. 

  23. ----
    24. 

  24. 

  25. [[ssk-spnego]]
    26. 

  26. == Spnego Negotiate
    27. 

  27. 

  28. Spnego configuration using JavaConfig.
    29. 

  29. 

  30. [source,java,indent=0]
    31. 

  31. ----
    32. 

  32. include::example$kerberos/SpnegoConfig.java[tags=snippetA]
    33. 

  33. ----
    34. 

  34. 

  35. [[ssk-resttemplate]]
    36. 

  36. == Using KerberosRestTemplate
    37. 

  37. 

  38. If there is a need to access Kerberos protected web resources
    39. 

  39. programmatically we have `KerberosRestTemplate` which extends
    40. 

  40. `RestTemplate` and does necessary login actions prior to delegating to
    41. 

  41. actual RestTemplate methods. You basically have few options to
    42. 

  42. configure this template.
    43. 

  43. 

  44. - Leave keyTabLocation and userPrincipal empty if you want to
    45. 

  45.   use cached ticket.
    46. 

  46. - Use keyTabLocation and userPrincipal if you want to use
    47. 

  47.   keytab file.
    48. 

  48. - Use loginOptions if you want to customise Krb5LoginModule options.
    49. 

  49. - Use a customised httpClient.
    50. 

  50. 

  51. With ticket cache.
    52. 

  52. [source,java,indent=0]
    53. 

  53. ----
    54. 

  54. include::example$kerberos/KerberosRestTemplateConfig.java[tags=snippetA]
    55. 

  55. ----
    56. 

  56. 

  57. With keytab file.
    58. 

  58. [source,java,indent=0]
    59. 

  59. ----
    60. 

  60. include::example$kerberos/KerberosRestTemplateConfig.java[tags=snippetB]
    61. 

  61. ----
    62. 

  62. 

  63. [[ssk-kerberosldap]]
    64. 

  64. == Authentication with LDAP Services
    65. 

  65. 

  66. With most of your samples we're using `DummyUserDetailsService`
    67. 

  67. because there is not necessarily need to query a real user details
    68. 

  68. once kerberos authentication is successful and we can use kerberos
    69. 

  69. principal info to create that dummy user. However there is a way to
    70. 

  70. access kerberized LDAP services in a say way and query user details
    71. 

  71. from there.
    72. 

  72. 

  73. `KerberosLdapContextSource` can be used to bind into LDAP via kerberos
    74. 

  74. which is at least proven to work well with Windows AD services.
    75. 

  75. 

  76. [source,java,indent=0]
    77. 

  77. ----
    78. 

  78. include::example$kerberos/KerberosLdapContextSourceConfig.java[tags=snippetA]
    79. 

  79. ----
    80. 

  80. 

  81. [TIP]
    82. 

  82. ====
    83. 

  83. Sample xref:servlet/authentication/kerberos/samples.adoc#samples-sec-server-win-auth[Security Server Windows Auth Sample]
    84. 

  84. is currently configured to query user details from AD if authentication happen via kerberos.
    85. 

  85. ====
    86.