DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

The software you build is only as secure as the code that powers it. Learn how malicious code creeps into your software supply chain.

Apache Cassandra combines the benefits of major NoSQL databases to support data management needs not covered by traditional RDBMS vendors.

Generative AI has transformed nearly every industry. How can you leverage GenAI to improve your productivity and efficiency?

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Related

  • How To Implement OAuth2 Security in Microservices
  • MuleSoft OAuth 2.0 Provider: Password Grant Type
  • Spring OAuth Server: Authenticate User With user-details Service
  • Spring Authentication With MetaMask

Trending

  • A Developer's Guide to Mastering Agentic AI: From Theory to Practice
  • Medallion Architecture: Why You Need It and How To Implement It With ClickHouse
  • Docker Model Runner: Streamlining AI Deployment for Developers
  • AI-Driven Test Automation Techniques for Multimodal Systems
  1. DZone
  2. Data Engineering
  3. Big Data
  4. Microservices and Kerberos Authentication

Microservices and Kerberos Authentication

How to use Kerberos authentication with microservice architectures and API gateways.

By 
Jethro Bakker user avatar
Jethro Bakker
·
Oct. 06, 15 · Opinion
Likes (7)
Comment
Save
Tweet
Share
18.6K Views

Join the DZone community and get the full member experience.

Join For Free

kerberos authentication is used to secure a variety of big data products like apache hadoop and more recently apache kafka (>0.9). in case of hadoop it is used to authenticate each user and service in order to use the hadoop ecosystem. also a lot of modern nosql databases offer support for kerberos, for example apache cassandra and mongodb. kerberos authentication can also be useful in microservice architectures. it can be used to achieve single sign on functionality. a property that is less known is the possibility to delegate tokens to sub services.

in a microservice architecture you probably have an api gateway which is a single entry point for a native mobile app or a html5 application. the gateway can forward requests to several microservices and aggregates the results in a single response.

image title

source: http://microservices.io/patterns/apigateway.html

the challenge here is to know which user is logged in at the backing rest services. in case of kerberos it is possible to delegate the user credentials to these rest services. these microservice can validate the credentials again.

how does this work in java?

since java is enterprise ready there is support for kerberos since the early days (jdk 1.4) by the gss-api . however, this api is pretty awkward to use. luckily there is a kerberos plugin for spring security but this plugin has no out of the box support for credential delegation. so i have written some code to create a delegated service ticket: (note that this ticket is also forwardable)

import org.ietf.jgss.*;
import org.springframework.security.core.context.securitycontextholder;
import org.springframework.security.kerberos.authentication.kerberosservicerequesttoken;

import javax.security.auth.subject;
import java.security.privilegedexceptionaction;

public static byte[] createservicetoken(string servicename) throws exception {
    kerberosservicerequesttoken authentication = (kerberosservicerequesttoken)
       securitycontextholder.getcontext().getauthentication();

    subject subject = authentication.getticketvalidation().subject();

    return subject.doas(subject, (privilegedexceptionaction<byte[]>) () -> {
        gssmanager manager = gssmanager.getinstance();
        gssname name = manager.createname("http@" + servicename, gssname.nt_hostbased_service);
        gsscontext context = manager.createcontext(name, 
                                    null, 
                                    authentication.getticketvalidation().getgsscontext().getdelegcred(), 
                                    gsscontext.indefinite_lifetime);
        context.requestcreddeleg(true);
        byte[] servicetoken = context.initseccontext(authentication.gettoken(), 0, authentication.gettoken().length);
        context.dispose();
        return servicetoken;
    });
}

some explanation:

line 9,10    retrieves the keberosservicetoken from the spring security context

line 12        get the current logged in subject

line 14        run the lambda expression as this subject

line 15        get the gssmanager

line 16        create a gssname for the rest endpoint

line 17-20  create a new gsscontext for this rest endpoint

line 21        request a forwardable kerberos token, so the new service ticket is also forwardable

line 22        initiate the secure context with the current kerberos token to get a new service ticket

line 23        close the context and

line 24         return the new ticket

a colleague of mine also created an extension to the spring security kerberos plugin to delegate the user credentials to an ldap server. so, there is no need to use a bind user (with special permissions) anymore. the major advantage is that you can create an audit trail of any user logged in to your systems.

Kerberos (protocol) microservice Spring Security authentication hadoop

Published at DZone with permission of Jethro Bakker. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • How To Implement OAuth2 Security in Microservices
  • MuleSoft OAuth 2.0 Provider: Password Grant Type
  • Spring OAuth Server: Authenticate User With user-details Service
  • Spring Authentication With MetaMask

Partner Resources

×

Comments

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: