7. Security Server Spnego and Form Auth Sample

This sample demonstrates how a server can be configured to accept a Spnego based negotiation from a browser while still being able to fall back to a form based authentication.

Using a user1 principal Section C.1, “Setup MIT Kerberos”, do a kerberos login manually using credentials.

$ kinit user1
Password for [email protected]:

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]

Valid starting     Expires            Service principal
10/03/15 17:18:45  11/03/15 03:18:45  krbtgt/[email protected]
  renew until 11/03/15 17:18:40

or using a keytab file.

$ kinit -kt user2.keytab user1

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]

Valid starting     Expires            Service principal
10/03/15 17:25:03  11/03/15 03:25:03  krbtgt/[email protected]
  renew until 11/03/15 17:25:03

Run a server.

$ java -jar sec-server-spnego-form-auth-1.0.0.RC1.jar

Now you should be able to open your browser and let it do Spnego authentication with existing ticket.


See Appendix E, Configure Browsers for Spnego Negotiation for more instructions for configuring browsers to use Spnego.

    port: 8080
    service-principal: HTTP/[email protected]
    keytab-location: /tmp/tomcat.keytab