2025-09-13 03:23:19 +08:00
|
|
|
/*
|
2025-09-13 04:12:47 +08:00
|
|
|
* Copyright 2004-present the original author or authors.
|
2025-09-13 03:23:19 +08:00
|
|
|
*
|
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
|
*
|
2025-09-13 04:12:47 +08:00
|
|
|
* https://www.apache.org/licenses/LICENSE-2.0
|
2025-09-13 03:23:19 +08:00
|
|
|
*
|
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
|
* limitations under the License.
|
|
|
|
|
*/
|
2025-09-13 04:12:47 +08:00
|
|
|
|
2025-09-13 03:23:19 +08:00
|
|
|
package org.springframework.security.kerberos.docs;
|
|
|
|
|
|
|
|
|
|
import org.springframework.beans.factory.annotation.Value;
|
|
|
|
|
import org.springframework.context.annotation.Bean;
|
|
|
|
|
import org.springframework.context.annotation.Configuration;
|
|
|
|
|
import org.springframework.core.io.FileSystemResource;
|
|
|
|
|
import org.springframework.security.authentication.AuthenticationManager;
|
|
|
|
|
import org.springframework.security.authentication.ProviderManager;
|
|
|
|
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
|
|
|
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
|
|
|
|
import org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider;
|
|
|
|
|
import org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider;
|
|
|
|
|
import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient;
|
|
|
|
|
import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator;
|
|
|
|
|
import org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter;
|
|
|
|
|
import org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint;
|
|
|
|
|
import org.springframework.security.web.SecurityFilterChain;
|
|
|
|
|
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
|
|
|
|
|
|
|
|
|
|
//tag::snippetA[]
|
|
|
|
|
@Configuration
|
|
|
|
|
@EnableWebSecurity
|
|
|
|
|
public class WebSecurityConfig {
|
|
|
|
|
|
|
|
|
|
@Value("${app.service-principal}")
|
|
|
|
|
private String servicePrincipal;
|
|
|
|
|
|
|
|
|
|
@Value("${app.keytab-location}")
|
|
|
|
|
private String keytabLocation;
|
|
|
|
|
|
|
|
|
|
@Bean
|
|
|
|
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
|
|
|
|
KerberosAuthenticationProvider kerberosAuthenticationProvider = kerberosAuthenticationProvider();
|
|
|
|
|
KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider = kerberosServiceAuthenticationProvider();
|
|
|
|
|
ProviderManager providerManager = new ProviderManager(kerberosAuthenticationProvider,
|
|
|
|
|
kerberosServiceAuthenticationProvider);
|
|
|
|
|
|
|
|
|
|
http
|
|
|
|
|
.authorizeHttpRequests((authz) -> authz
|
|
|
|
|
.requestMatchers("/", "/home").permitAll()
|
|
|
|
|
.anyRequest().authenticated()
|
|
|
|
|
)
|
|
|
|
|
.exceptionHandling()
|
|
|
|
|
.authenticationEntryPoint(spnegoEntryPoint())
|
|
|
|
|
.and()
|
|
|
|
|
.formLogin()
|
|
|
|
|
.loginPage("/login").permitAll()
|
|
|
|
|
.and()
|
|
|
|
|
.logout()
|
|
|
|
|
.permitAll()
|
|
|
|
|
.and()
|
|
|
|
|
.authenticationProvider(kerberosAuthenticationProvider())
|
|
|
|
|
.authenticationProvider(kerberosServiceAuthenticationProvider())
|
|
|
|
|
.addFilterBefore(spnegoAuthenticationProcessingFilter(providerManager),
|
|
|
|
|
BasicAuthenticationFilter.class);
|
|
|
|
|
return http.build();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Bean
|
|
|
|
|
public KerberosAuthenticationProvider kerberosAuthenticationProvider() {
|
|
|
|
|
KerberosAuthenticationProvider provider = new KerberosAuthenticationProvider();
|
|
|
|
|
SunJaasKerberosClient client = new SunJaasKerberosClient();
|
|
|
|
|
client.setDebug(true);
|
|
|
|
|
provider.setKerberosClient(client);
|
|
|
|
|
provider.setUserDetailsService(dummyUserDetailsService());
|
|
|
|
|
return provider;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Bean
|
|
|
|
|
public SpnegoEntryPoint spnegoEntryPoint() {
|
|
|
|
|
return new SpnegoEntryPoint("/login");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
|
|
|
|
|
AuthenticationManager authenticationManager) {
|
|
|
|
|
SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
|
|
|
|
|
filter.setAuthenticationManager(authenticationManager);
|
|
|
|
|
return filter;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Bean
|
|
|
|
|
public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() {
|
|
|
|
|
KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
|
|
|
|
|
provider.setTicketValidator(sunJaasKerberosTicketValidator());
|
|
|
|
|
provider.setUserDetailsService(dummyUserDetailsService());
|
|
|
|
|
return provider;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Bean
|
|
|
|
|
public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() {
|
|
|
|
|
SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
|
|
|
|
|
ticketValidator.setServicePrincipal(servicePrincipal);
|
|
|
|
|
ticketValidator.setKeyTabLocation(new FileSystemResource(keytabLocation));
|
|
|
|
|
ticketValidator.setDebug(true);
|
|
|
|
|
return ticketValidator;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Bean
|
|
|
|
|
public DummyUserDetailsService dummyUserDetailsService() {
|
|
|
|
|
return new DummyUserDetailsService();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
//end::snippetA[]
|
