Delegate/forward Kerberos tickets with Spring Security

Question

I'm trying to find information whether the Spring Security implementation of Kerberos handles delegation/forwarding of ticket granting tickets so that my app server can call other Kerberos services reusing the principals TGT? Any documentation on this would be highly appreciated. Cheers!

Answer 1

This is possible since the release of Spring Security Kerberos 1.0.0.

The SunJaasKerberosTicketValidator can be configured to store the authentication context:

ticketValidator.setHoldOnToGSSContext(true);

Here's some code to get you started:

Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

if (authentication instanceof KerberosServiceRequestToken) {
    KerberosServiceRequestToken token = (KerberosServiceRequestToken) authentication;

    if (token.getTicketValidation() == null) {
        // No delegation possible...
    } else {
        GSSContext context = token.getTicketValidation().getGssContext();

        // ...
    }
}

Answer 2

Spring security does not implement any Kerberos functionality. If you are referring to the kerberos extension then the answer is no. It only does authentication and it's just a wrapper around the Java JAAS API Krb5LoginModule .

Answer 3

As Koraktor mentioned, SunJaasKerberosTicketValidator class has the details which are equivalent to the JAAS config file. However, SunJaasKerberosTicketValidator has isInitiator flag set to false. This causes context.getCredDeleg() to return false, and you can not delegate the credentials. I have done a POC where my observation is the delegation/forward works only if isInitiator is set to true.

I solved this issue by writing my own TicketValidator , everything from SunJaasKerberosTicketValidator kept as it is, except, changed the entry of isInitiator flag to options.put("isInitiator", "true");