DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Last call! Secure your stack and shape the future! Help dev teams across the globe navigate their software supply chain security challenges.

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Releasing software shouldn't be stressful or risky. Learn how to leverage progressive delivery techniques to ensure safer deployments.

Avoid machine learning mistakes and boost model performance! Discover key ML patterns, anti-patterns, data strategies, and more.

Related

  • How To Implement OAuth2 Security in Microservices
  • MuleSoft OAuth 2.0 Provider: Password Grant Type
  • Spring OAuth Server: Authenticate User With user-details Service
  • Spring Authentication With MetaMask

Trending

  • Enhancing Security With ZTNA in Hybrid and Multi-Cloud Deployments
  • Understanding and Mitigating IP Spoofing Attacks
  • Medallion Architecture: Efficient Batch and Stream Processing Data Pipelines With Azure Databricks and Delta Lake
  • Virtual Threads: A Game-Changer for Concurrency
  1. DZone
  2. Data Engineering
  3. Big Data
  4. Microservices and Kerberos Authentication

Microservices and Kerberos Authentication

How to use Kerberos authentication with microservice architectures and API gateways.

By 
Jethro Bakker user avatar
Jethro Bakker
·
Oct. 06, 15 · Opinion
Likes (7)
Comment
Save
Tweet
Share
18.6K Views

Join the DZone community and get the full member experience.

Join For Free

kerberos authentication is used to secure a variety of big data products like apache hadoop and more recently apache kafka (>0.9). in case of hadoop it is used to authenticate each user and service in order to use the hadoop ecosystem. also a lot of modern nosql databases offer support for kerberos, for example apache cassandra and mongodb. kerberos authentication can also be useful in microservice architectures. it can be used to achieve single sign on functionality. a property that is less known is the possibility to delegate tokens to sub services.

in a microservice architecture you probably have an api gateway which is a single entry point for a native mobile app or a html5 application. the gateway can forward requests to several microservices and aggregates the results in a single response.

image title

source: http://microservices.io/patterns/apigateway.html

the challenge here is to know which user is logged in at the backing rest services. in case of kerberos it is possible to delegate the user credentials to these rest services. these microservice can validate the credentials again.

how does this work in java?

since java is enterprise ready there is support for kerberos since the early days (jdk 1.4) by the gss-api . however, this api is pretty awkward to use. luckily there is a kerberos plugin for spring security but this plugin has no out of the box support for credential delegation. so i have written some code to create a delegated service ticket: (note that this ticket is also forwardable)

import org.ietf.jgss.*;
import org.springframework.security.core.context.securitycontextholder;
import org.springframework.security.kerberos.authentication.kerberosservicerequesttoken;

import javax.security.auth.subject;
import java.security.privilegedexceptionaction;

public static byte[] createservicetoken(string servicename) throws exception {
    kerberosservicerequesttoken authentication = (kerberosservicerequesttoken)
       securitycontextholder.getcontext().getauthentication();

    subject subject = authentication.getticketvalidation().subject();

    return subject.doas(subject, (privilegedexceptionaction<byte[]>) () -> {
        gssmanager manager = gssmanager.getinstance();
        gssname name = manager.createname("http@" + servicename, gssname.nt_hostbased_service);
        gsscontext context = manager.createcontext(name, 
                                    null, 
                                    authentication.getticketvalidation().getgsscontext().getdelegcred(), 
                                    gsscontext.indefinite_lifetime);
        context.requestcreddeleg(true);
        byte[] servicetoken = context.initseccontext(authentication.gettoken(), 0, authentication.gettoken().length);
        context.dispose();
        return servicetoken;
    });
}

some explanation:

line 9,10    retrieves the keberosservicetoken from the spring security context

line 12        get the current logged in subject

line 14        run the lambda expression as this subject

line 15        get the gssmanager

line 16        create a gssname for the rest endpoint

line 17-20  create a new gsscontext for this rest endpoint

line 21        request a forwardable kerberos token, so the new service ticket is also forwardable

line 22        initiate the secure context with the current kerberos token to get a new service ticket

line 23        close the context and

line 24         return the new ticket

a colleague of mine also created an extension to the spring security kerberos plugin to delegate the user credentials to an ldap server. so, there is no need to use a bind user (with special permissions) anymore. the major advantage is that you can create an audit trail of any user logged in to your systems.

Kerberos (protocol) microservice Spring Security authentication hadoop

Published at DZone with permission of Jethro Bakker. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • How To Implement OAuth2 Security in Microservices
  • MuleSoft OAuth 2.0 Provider: Password Grant Type
  • Spring OAuth Server: Authenticate User With user-details Service
  • Spring Authentication With MetaMask

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!