Alfredo is a Java library consisting of a client and a server components to enable Kerberos SPNEGO authentication for HTTP.
Alfredo also supports additional authentication mechanisms on the client and the server side via 2 simple interfaces.
Alfredo is distributed under Apache License 2.0.
Alfredo forces authentication on protected resources, once authentiation has been established it sets a signed HTTP Cookie that contains an authentication token with the user name, user principal, authentication type and expiration time.
Subsequent HTTP client requests presenting the signed HTTP Cookie have access to the protected resources until the authentication token expires.
IMPORTANT: The curl version must support GSS, run curl -V.
$ curl -V curl 7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3 Protocols: tftp ftp telnet dict ldap http file https ftps Features: GSS-Negotiate IPv6 Largefile NTLM SSL libz
Login to the KDC using kinit and then use curl to fetch protected URL:
$ kinit Please enter the password for tucu@LOCALHOST: $ curl --negotiate -u foo -b ~/cookiejar.txt -c ~/cookiejar.txt http://localhost:8080/alfredo-examples/kerberos/who Enter host password for user 'tucu': Hello Alfredo!
Use the AuthenticatedURL class to obtain an authenticated HTTP connection:
... URL url = new URL("http://localhost:8080/alfredo/kerberos/who"); AuthenticatedURL.Token token = new AuthenticatedURL.Token(); ... HttpURLConnection conn = new AuthenticatedURL(url, token).openConnection(); ... conn = new AuthenticatedURL(url, token).openConnection(); ...
Download Alfredo's source code, the examples are in a Maven project in the examples directory.
Server Example:
Edit the examples/src/main/webapp/WEB-INF/web.xml and set the right configuration init parameters for the AuthenticationFilter definition configured for Kerberos (the right Kerberos principal and keytab file must be specified). Refer to the Configuration document for details.
Create the web application WAR file by running the mvn package command.
Deploy the WAR file in a servlet container. For example, if using Tomcat, copy the WAR file to Tomcat's webapps/ directory.
Start the servlet container.
Accessing the server using curl:
Try accessing protected resources using curl. The protected resources are:
$ kinit Please enter the password for tucu@LOCALHOST: $ curl http://localhost:8080/alfredo-examples/annonymous/who $ curl http://localhost:8080/alfredo-examples/simple/who?user.name=foo $ curl --negotiate -u foo -b ~/cookiejar.txt -c ~/cookiejar.txt http://localhost:8080/alfredo-examples/kerberos/who
Accessing the server using the Java client example:
$ kinit Please enter the password for tucu@LOCALHOST: $ cd examples $ mvn exec:java -Durl=http://localhost:8080/alfredo-examples/kerberos/who .... Token value: "u=tucu,p=tucu@LOCALHOST,t=kerberos,e=1295305313146,s=sVZ1mpSnC5TKhZQE3QLN5p2DWBo=" Status code: 200 OK You are: user[tucu] principal[tucu@LOCALHOST] ....
Requirements:
Source location:
Building and testing:
Use Maven goals: clean, test, compile, package, site, install
Testing Configuration:
The following -D options can be used with Maven to change test configuration options: