Alfredo, Java HTTP SPNEGO 0.1.0

Alfredo is a Java library consisting of a client and a server components to enable Kerberos SPNEGO authentication for HTTP.

Alfredo also supports additional authentication mechanisms on the client and the server side via 2 simple interfaces.

License

Alfredo is distributed under Apache License 2.0.

How Does Alfredo Works?

Alfredo forces authentication on protected resources, once authentiation has been established it sets a signed HTTP Cookie that contains an authentication token with the user name, user principal, authentication type and expiration time.

Subsequent HTTP client requests presenting the signed HTTP Cookie have access to the protected resources until the authentication token expires.

User Documentation

Accessing a Alfredo protected URL Using curl

IMPORTANT: The curl version must support GSS, run curl -V.

$ curl -V
curl 7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
Protocols: tftp ftp telnet dict ldap http file https ftps
Features: GSS-Negotiate IPv6 Largefile NTLM SSL libz

Login to the KDC using kinit and then use curl to fetch protected URL:

$ kinit
Please enter the password for tucu@LOCALHOST:
$ curl --negotiate -u foo -b ~/cookiejar.txt -c ~/cookiejar.txt http://localhost:8080/alfredo-examples/kerberos/who
Enter host password for user 'tucu':

Hello Alfredo!
  • The --negotiate option enables SPNEGO in curl.
  • The -u foo option is required but the user ignored (the principal that has been kinit-ed is used).
  • The -b and -c are use to store and send HTTP Cookies.

Using the Java Client

Use the AuthenticatedURL class to obtain an authenticated HTTP connection:

...
URL url = new URL("http://localhost:8080/alfredo/kerberos/who");
AuthenticatedURL.Token token = new AuthenticatedURL.Token();
...
HttpURLConnection conn = new AuthenticatedURL(url, token).openConnection();
...
conn = new AuthenticatedURL(url, token).openConnection();
...

Building and Running the Examples

Download Alfredo's source code, the examples are in a Maven project in the examples directory.

Server Example:

Edit the examples/src/main/webapp/WEB-INF/web.xml and set the right configuration init parameters for the AuthenticationFilter definition configured for Kerberos (the right Kerberos principal and keytab file must be specified). Refer to the Configuration document for details.

Create the web application WAR file by running the mvn package command.

Deploy the WAR file in a servlet container. For example, if using Tomcat, copy the WAR file to Tomcat's webapps/ directory.

Start the servlet container.

Accessing the server using curl:

Try accessing protected resources using curl. The protected resources are:

$ kinit
Please enter the password for tucu@LOCALHOST:

$ curl http://localhost:8080/alfredo-examples/annonymous/who

$ curl http://localhost:8080/alfredo-examples/simple/who?user.name=foo

$ curl --negotiate -u foo -b ~/cookiejar.txt -c ~/cookiejar.txt http://localhost:8080/alfredo-examples/kerberos/who

Accessing the server using the Java client example:

$ kinit
Please enter the password for tucu@LOCALHOST:

$ cd examples

$ mvn exec:java -Durl=http://localhost:8080/alfredo-examples/kerberos/who

....

Token value: "u=tucu,p=tucu@LOCALHOST,t=kerberos,e=1295305313146,s=sVZ1mpSnC5TKhZQE3QLN5p2DWBo="
Status code: 200 OK

You are: user[tucu] principal[tucu@LOCALHOST]

....

Developer Documentation, Building Alfredo

Requirements:

  • Java 6+
  • Maven 3+

Source location:

Building and testing:

Use Maven goals: clean, test, compile, package, site, install

Testing Configuration:

The following -D options can be used with Maven to change test configuration options:

  • alfredo.test.kerberos.realm: default value LOCALHOST
  • alfredo.test.kerberos.client.principal: default value client@LOCALHOST
  • alfredo.test.kerberos.server.principal: default value HTTP/localhost@LOCALHOST
  • alfredo.test.kerberos.keytab.file: default value $HOME/$USER.keytab