Class KerberosCredentialValidator

All Implemented Interfaces:
CredentialValidator, PrincipalSupportingComponent, Component, DestructableComponent, IdentifiableComponent, IdentifiedComponent, InitializableComponent

@ThreadSafeAfterInit
public class KerberosCredentialValidator
extends AbstractUsernamePasswordCredentialValidator
A password validator that authenticates against Kerberos natively, with optional service ticket verification.
Since:
4.0.0
  • Field Details

    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.
    • loginModuleClassName

      @NonnullAfterInit @NotEmpty private String loginModuleClassName
      Class name of JAAS LoginModule to acquire Kerberos credentials.
    • refreshKrb5Config

      private boolean refreshKrb5Config
      Refresh the Kerberos config before running?
    • preserveTicket

      private boolean preserveTicket
      Save the TGT in the resulting Subject?
    • servicePrincipal

      private String servicePrincipal
      Service principal to acquire a ticket for to verify KDC.
    • keytabPath

      private String keytabPath
      Path to keytab for service principal.
    • clientOptions

      @NonnullAfterInit private Map<String,​String> clientOptions
      JAAS options for client login.
    • serverOptions

      @NonnullAfterInit private Map<String,​String> serverOptions
      JAAS options for server login.
  • Constructor Details

    • KerberosCredentialValidator

      public KerberosCredentialValidator()
      Constructor.
  • Method Details

    • setLoginModuleClassName

      public void setLoginModuleClassName​(@Nonnull String name)
      Set the name of the JAAS LoginModule to use to acquire Kerberos credentials.
      Parameters:
      name - name of login module class
    • setRefreshKrb5Config

      public void setRefreshKrb5Config​(boolean flag)
      Set whether to refresh the Kerberos configuration before running.
      Parameters:
      flag - flag to set
    • setPreserveTicket

      public void setPreserveTicket​(boolean flag)
      Set whether to save the TGT in the Subject.
      Parameters:
      flag - flag to set
    • setServicePrincipal

      public void setServicePrincipal​(@Nullable String name)
      Set the name of a service principal to use to verify the KDC.

      If non-null, a keytab resource must also be set.

      Parameters:
      name - name of service principal
    • setKeytabPath

      public void setKeytabPath​(@Nullable String path)
      Provides a keytab for the service principal to use to verify the KDC.
      Parameters:
      path - path to file containing a keytab
    • doInitialize

      protected void doInitialize() throws ComponentInitializationException
      Overrides:
      doInitialize in class AbstractIdentifiedInitializableComponent
      Throws:
      ComponentInitializationException
    • doValidate

      protected Subject doValidate​(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull UsernamePasswordContext usernamePasswordContext, @Nullable CredentialValidator.WarningHandler warningHandler, @Nullable CredentialValidator.ErrorHandler errorHandler) throws Exception
      Override method for subclasses to use to perform the actual validation.

      Any configured transforms will have been applied to populate the context with a transformed username prior to this method call.

      Specified by:
      doValidate in class AbstractUsernamePasswordCredentialValidator
      Parameters:
      profileRequestContext - profile request context
      authenticationContext - authentication context
      usernamePasswordContext - the username/password to validate
      warningHandler - optional warning handler interface
      errorHandler - optional error handler interface
      Returns:
      the validated result, or null if inapplicable
      Throws:
      Exception - if an error occurs
    • populateSubject

      @Nonnull protected Subject populateSubject​(@Nonnull Subject subject, @Nonnull UsernamePasswordContext usernamePasswordContext)
      Decorate the subject with "standard" content from the validation and clean up as instructed.
      Overrides:
      populateSubject in class AbstractUsernamePasswordCredentialValidator
      Parameters:
      subject - the subject being returned
      usernamePasswordContext - the username/password validated
      Returns:
      the decorated subject
    • verifyKDC

      private void verifyKDC​(@Nonnull Subject subject) throws Exception
      Use credentials to acquire and verify a service ticket.
      Parameters:
      subject - client identity
      Throws:
      Exception - if an error occurs