Class KerberosServiceAuthenticationProvider

java.lang.Object
org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider
All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean, AuthenticationProvider

public class KerberosServiceAuthenticationProvider extends Object implements AuthenticationProvider, org.springframework.beans.factory.InitializingBean

Authentication Provider which validates Kerberos Service Tickets or SPNEGO Tokens (which includes Kerberos Service Tickets).

It needs a KerberosTicketValidator, which contains the code to validate the ticket, as this code is different between SUN and IBM JRE.
It also needs an UserDetailsService to load the user properties and the GrantedAuthorities, as we only get back the username from Kerbeos

You can see an example configuration in SpnegoAuthenticationProcessingFilter.
Since:
1.0
See Also:
  • Constructor Details

    • KerberosServiceAuthenticationProvider

      public KerberosServiceAuthenticationProvider()
  • Method Details

    • authenticate

      public Authentication authenticate(Authentication authentication) throws AuthenticationException
      Description copied from interface: AuthenticationProvider
      Performs authentication with the same contract as AuthenticationManager.authenticate(Authentication) .
      Specified by:
      authenticate in interface AuthenticationProvider
      Parameters:
      authentication - the authentication request object.
      Returns:
      a fully authenticated object including credentials. May return null if the AuthenticationProvider is unable to support authentication of the passed Authentication object. In such a case, the next AuthenticationProvider that supports the presented Authentication class will be tried.
      Throws:
      AuthenticationException - if authentication fails.
    • supports

      public boolean supports(Class<? extends Object> auth)
      Description copied from interface: AuthenticationProvider
      Returns true if this AuthenticationProvider supports the indicated Authentication object.

      Returning true does not guarantee an AuthenticationProvider will be able to authenticate the presented Authentication object. It simply indicates it can support closer evaluation of it. An AuthenticationProvider can still return null from the AuthenticationProvider.authenticate(Authentication) method to indicate another AuthenticationProvider should be tried.

      Selection of an AuthenticationProvider capable of performing authentication is conducted at runtime the ProviderManager.

      Specified by:
      supports in interface AuthenticationProvider
      Returns:
      true if the implementation can more closely evaluate the Authentication class presented
    • afterPropertiesSet

      public void afterPropertiesSet() throws Exception
      Specified by:
      afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
      Throws:
      Exception
    • setUserDetailsService

      public void setUserDetailsService(UserDetailsService userDetailsService)
      The UserDetailsService to use, for loading the user properties and the GrantedAuthorities.
      Parameters:
      userDetailsService - the new user details service
    • setTicketValidator

      public void setTicketValidator(KerberosTicketValidator ticketValidator)
      The KerberosTicketValidator to use, for validating the Kerberos/SPNEGO tickets.
      Parameters:
      ticketValidator - the new ticket validator
    • additionalAuthenticationChecks

      protected void additionalAuthenticationChecks(UserDetails userDetails, KerberosServiceRequestToken authentication) throws AuthenticationException
      Allows subclasses to perform any additional checks of a returned UserDetails for a given authentication request.
      Parameters:
      userDetails - as retrieved from the UserDetailsService
      authentication - validated KerberosServiceRequestToken
      Throws:
      AuthenticationException - AuthenticationException if the credentials could not be validated (generally a BadCredentialsException, an AuthenticationServiceException)