I want to access a REST service from Java. The service runs under Windows and uses probably a "default" authentication mechanism. I was told it was Kerberos with a fallback to NTLM. I am able to access the service by a plain HTTPS GET request using Firefox (works with HttpRequester, too) - without specifying any credentials explicitely (obviously my Windows account is used).
How can I access the service from Java? A naive attempt to read using java.net.URL fails with status code 400.
Even the JDK (JVM implementation of Oracle) offers this, you may have a look at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/lab/part6.html
This provides the high-level steps for the solution. You'll need Active Directory in order to leverage Kerberos with Windows. Then what you will do is use Java Spring Security for Kerberos in order to access the REST service from Java. The below are the more concrete steps.
The Java Spring Security for Kerberos library will do the heavy lifting for you, this provides a class to inject a Kerberos configuration into the HTTP client: org.springframework.security.kerberos.client.KerberosRestTemplate
You define some Kerberos properties within a client configuration .properties file. Here's the most important snippet from the file with respect to Kerberos:
KERBEROS.FLAG=Y KERBEROS.DEBUG=true SERVICE_ACCOUNT_PRINCIPAL = HTTP/some.hostname@YOUR.REALM KEYTAB_LOCATION = file:///C:/path/to/filename.keytab KDC = server.fqdn.name KDC_DOMAIN = YOUR.REALM KRB5 = file:///C:/path/to/krb5.conf
EDIT:
Kerberos keytabs are not required with a Java client on a Windows AD domain-joined machine. Since you want to use the credentials of the person who is running the Java program, you wouldn't use a keytab (since the keytab itself contains only one credential).
