I'm trying to make a GET request to a HTTP endpoint that's protected by Kerberos authentication. I'm able to successfully initialize a LoginContext
using my keytab and I can see the KerberosTicket
that is being generated and successfully assigned to my Subject
, but for some reason my HTTP requests are still coming back with a 401 error. My suspicion is that the ticket itself isn't being attached to the HTTP request, but I'm not sure how to enable this properly.
For reference, here is the code I'm running. I'm using the Krb5LoginModule:
String keyTab = "~/kerberos.keytab";
String principal = "myself@WEBSITE.COM";
Subject subject = null;
try {
LoginContext context = new LoginContext("", new Subject(), null,
new Configuration() {
@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
Map<String, String> options = new HashMap<String, String>();
options.put("useKeyTab", "true");
options.put("storeKey", "true");
options.put("doNotPrompt", "false");
options.put("useTicketCache", "true");
options.put("isInitiator", "true");
options.put("debug", "true");
options.put("keyTab", keyTab);
options.put("principal", principal);
return new AppConfigurationEntry[]{
new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
options)};
}
});
context.login(); // Completes successfully. No LoginException thrown.
subject = context.getSubject();
}
catch (LoginException e)
{
e.printStackTrace();
return null;
}
String conn = Subject.doAs(subject, new PrivilegedExceptionAction<String>() {
@Override
public String run() {
URL url = new URL("http://kerberosexample.com");
con = (HttpURLConnection) url.openConnection();
con.setRequestMethod("GET");
if (con != null) {
int status = con.getResponseCode(); // Returns as 401 Unauthenticated.
// If status is 200, process response body and return as a String.
}
}
});
Any advice is greatly appreciated.
Pointing a correct krb5.conf. should do the work. something like System.setProperty("java.security.krb5.conf", "krb5.conf");
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.