Version 4

    In this "how to" guide I will go over the steps I took to make Kerberos authentication work with a Simple REST based webapp. My setup includes two laptop machines running Fedora OS. They both are connected to my wireless router under same subnet. Note that most of the time you do not need to do configure KDC server at all, your enterprise already may be configured with it, you need to ask your operation guys on how to get the keytabs or how to use SSO without keytabs.


    For simplicity sake, I edited "/etc/hosts" file added following lines



    Most of you already may have your enterprise Kerberos system installed and configured to go, however in for my testing I had to install Kerberos server. I took instructions from here. On my "" machine, with root permissions


    yum -y install krb5-libs krb5-server krb5-workstation


    Once the installation is complete, I needed to create database for the Kerberos credentials, typically enterprises may attach to LDAP etc, for my test case that is not important, so a simple local store is sufficient. To achieve that execute


    kdb5_util create -s


    Typically when the time difference between machine is off, Kerberos gives issues, so you can synchronize time using NTP, for that execute


    yum install ntp
    service ntpd restart


    Edit the "/var/kerberos/krb5kdc/kadm5.acl" to look like


    */admin *


    now edit the "/etc/krb5.conf" file, and it should look like


    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    default_realm = EXAMPLE.COM
      kdc =
      admin_server =
    [domain_realm] = EXAMPLE.COM = EXAMPLE.COM


    Now edit firewall permissions and allow "kerberos", for my setting, I used graphical management tool that come with fedora to accomplish that. Then start the Kerberos server using following commands


    /sbin/service krb5kdc start
    /sbin/service kadmin start


    Now we are ready to create users in the Kerberos, to begin with we need a "root" user, you can add that by issuing


    kadmin.local -q "addprinc root/admin"


    Now login with "root" user in kadmin to create another user


    kadmin.local -p root/admin


    Then at the command prompt, to add a user say "rareddy", issue command


    ank rareddy
    ank HTTP/


    You can also view all the users in the system by issuing




    you will see users like




    Here I am going to use "HTTP/" user as Service Provider Principle. In Kerberos, there are three systems, one is client user (that is you, ex:rareddy), second is where the service you wants access to is running (that is Teiid server), and then the kerberos server itself. In order for the Service provider system to authenticate with Kerberos system, you do not want configure using your user token, but need to use a trusted user called SPN. Initially, the client machine talks directly to the Kerberos system gets a token, and then uses that token with Service system to negotiate a login. In back end, the service provider system, based on its SPN credentials with authorize the client or not.


    To proceed we need to create a keytab, which holds the credentials. To create a keytab, execute below on kadmin console


    ktadd -k /path/to/http.keytab  HTTP/
    ktadd -k /path/to/rareddy.keytab rareddy


    Now kerberoes is all setup, copy the "path/to/http.keytab" to the system where JBoss EAP is running, to a known location. In my case it was "" machine. Install JBoss EAP on this machine. the "/etc/krb5.conf" file to this machine too in the same location.


    Now edit the standalone.xml file, add

            <property name="" value="/etc/krb5.conf"/>
            <property name="" value="true"/>
            <property name="" value="true"/>


    right after the "<extensions>" element. Add the following in the "security-domains" configuration


        <security-domain name="host" cache-type="default">
                <login-module code="Kerberos" flag="required">
                    <module-option name="storeKey" value="true"/>
                    <module-option name="useKeyTab" value="true"/>
                    <module-option name="refreshKrb5Config" value="true"/>
                    <module-option name="keyTab" value="/path/to/krbtgt.keytab"/>
                    <module-option name="principal" value="HTTP/"/>
                    <module-option name="doNotPrompt" value="true"/>
                    <module-option name="debug" value="true"/>
        <security-domain name="EXAMPLE.COM" cache-type="default">
                <login-module code="SPNEGO" flag="requisite">
                    <module-option name="password-stacking" value="useFirstPass"/>
                    <module-option name="serverSecurityDomain" value="host"/>
                <login-module code="" flag="requisite">
                    <module-option name="password-stacking" value="useFirstPass"/>
                    <module-option name="usersProperties" value="${jboss.server.config.dir}/"/>
                    <module-option name="rolesProperties" value="${jboss.server.config.dir}/"/>



    # A file for use with the UsersRolesLoginModule
    # username=role1,role2


    Save the file, and start the JBoss EAP  server using


    <jboss-as>/bin/ -c standalone.xml -b


    Web Application

    public class HelloWorld extends Application {
      private SecurityContext mySecurityContext;
        public String helloworld() {
            return "<message>Hello World! User="+mySecurityContext.getUserPrincipal().getName()+"</message>";



    <?xml version="1.0" encoding="UTF-8"?>
    <web-app xmlns:xsi="" xmlns="" xmlns:web="" xsi:schemaLocation="" version="2.5">
            <display-name>require valid user</display-name>
                <web-resource-name>Kerberos Application</web-resource-name>
            <description>security role</description>



    <?xml version="1.0" encoding="UTF-8"?>




      <module name="" />


    A sample project is attached. Build the WAR file, and deploy to the JBoss EAP instance.



    For testing I chose curl, as I did not find correct way to configure chrome or firefox, that I can see how they issue the negotiate call for kerberos. CURL was much more clear and simple


    Before you can issue the http call, execute the following


    $kinit -f -k -t /path/to/rareddy.keytab rareddy@EXAMPLE.COM
    Ticket cache: DIR::/run/user/1000/krb5cc/tktgaFBoW
    Default principal: rareddy@EXAMPLE.COM
    Valid starting       Expires              Service principal
    06/16/2014 13:20:48  06/17/2014 13:20:47  krbtgt/EXAMPLE.COM@EXAMPLE.COM
      renew until 06/16/2014 13:20:48
    $curl --negotiate -u foo:bar
    <message>Hello World! User=rareddy@EXAMPLE.COM</message>



    How to implement Kerberos authentication with Teiid over JDBC