Setting username programatically,instead of prompt, with httpclient\kerberos

Question

I have a linux\java6 client that will authenticate to sharepoint2010 with KERBEROS and then send HTTP REST web services using Apache Commons HttpClient 4.2

If I run from command line "kinit myuser@mydomain" before connecting my client runs smoothely.

my problem is that I if i dont run kinit , I get prompted for a username .

how do I authenticate programatically without being prompted for a username and without having to run command line programs?

(I created and keytab and defined it in login.conf, so that takes care of the password prompt but not of the user promt)

public static void main(String[] args) throws Exception {

    System.setProperty("java.security.auth.login.config", "login.conf");
    System.setProperty("java.security.krb5.conf", "krb5.conf");
    System.setProperty("sun.security.krb5.debug", "true");
    System.setProperty("javax.security.auth.useSubjectCredsOnly","false");

    DefaultHttpClient httpclient = new DefaultHttpClient();
    try {
        httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, new SPNegoSchemeFactory());

        Credentials use_jaas_creds = new Credentials() {

            public String getPassword() {
                return null;
            }

            public Principal getUserPrincipal() {
                return null;
            }

        };

        httpclient.getCredentialsProvider().setCredentials(
                new AuthScope(null, -1, null),
                use_jaas_creds);

        HttpUriRequest request = new HttpGet("http://kerberoshost/");
        HttpResponse response = httpclient.execute(request);
        HttpEntity entity = response.getEntity();

        System.out.println("----------------------------------------");
        System.out.println(response.getStatusLine());
        System.out.println("----------------------------------------");
        if (entity != null) {
            System.out.println(EntityUtils.toString(entity));
        }
        System.out.println("----------------------------------------");

        // This ensures the connection gets released back to the manager
        EntityUtils.consume(entity);

    } finally {
        // When HttpClient instance is no longer needed,
        // shut down the connection manager to ensure
        // immediate deallocation of all system resources
        httpclient.getConnectionManager().shutdown();
    }
}

Please post your login.config file referring to the keytab you created. — Yves Martin, Jun 19 '12 at 11:55
I answered something very similar here: http://stackoverflow.com/questions/21629132/httpclient-set-credentials-for-kerberos-authentication/23679954#23679954 — eljeko, Aug 13 '14 at 15:22

score 3 · Answer 1 · answered Jun 19 '12 at 12:13

You have to provide the principal name in addition to the keytab file to get a fully transparent client Kerberos authentication (kinit):

 client {
   com.sun.security.auth.module.Krb5LoginModule required
     useKeyTab=true
     storeKey=true
     keyTab=/path/to/userKeytab
     principal="userName";
 };

Setting username programatically,instead of prompt, with httpclient\kerberos

1 Answers1

Linked