2. Usage

Configuring your Kerberos server is beyond the scope of this document. There are several options and this will most likely be done by IT staff. It's assumed here that you already have a running Kerberos server.

The plugin uses the Kerberos/SPNEGO Spring Security extension and the most relevant information about it can be found in this blog post.

There isn't much that you need to do in your application to be a Kerberos client. Just install this plugin, and configure the two required parameters and whatever optional parameters you want in Config.groovy. These are described in detail in Chapter 3 but typically you only need to set these properties

grails.plugins.springsecurity.kerberos.ticketValidator.servicePrincipal =

grails.plugins.springsecurity.kerberos.ticketValidator.keyTabLocation = 'file:///path/to/your.keytab'


Currently the only information that is retrieved from Kerberos is the username (plus the authentication status of course) so you'll need to have user and role data in your database corresponding to Kerberos users. Since you'll be authenticating externally you can either remove the password field from the user class and use a custom UserDetailsService or just store dummy values in the password column to satisfy the not-null constraint.