3. Configuration

There are a few configuration options for the Kerberos plugin.

The plugin uses the Kerberos/SPNEGO Spring Security extension and the most relevant information about it can be found in this blog post.

All of these property overrides must be specified in grails-app/conf/Config.groovy using the grails.plugins.springsecurity suffix, for example
grails.plugins.springsecurity.kerberos.debug = true

There are two required properties:
Name Default Meaning
kerberos.ticketValidator.servicePrincipal none, required the web application service principal, e.g. HTTP/www.example.com@EXAMPLE.COM
kerberos.ticketValidator.keyTabLocation none, required the URL to the location of the keytab file containing the service principal's credentials, e.g. file:///etc/http-web.keytab

Name	Default	Meaning
kerberos.ticketValidator.servicePrincipal	none, required	the web application service principal, e.g. `HTTP/www.example.com@EXAMPLE.COM`
kerberos.ticketValidator.keyTabLocation	none, required	the URL to the location of the keytab file containing the service principal's credentials, e.g. `file:///etc/http-web.keytab`

and three optional properties:

Name Default Meaning
kerberos.configLocation null The location of the Kerberos config file. Leave unset to use the default location (e.g. /etc/krb5.conf, c:winntkrb5.ini, /etc/krb5/krb5.conf)
kerberos.debug false if true enables debug logs from the Sun Kerberos Implementation
kerberos.ticketValidator.debug false if true enables ticket validator debug messages

Name	Default	Meaning
kerberos.configLocation	`null`	The location of the Kerberos config file. Leave unset to use the default location (e.g. `/etc/krb5.conf`, `c:winntkrb5.ini`, `/etc/krb5/krb5.conf`)
kerberos.debug	`false`	if `true` enables debug logs from the Sun Kerberos Implementation
kerberos.ticketValidator.debug	`false`	if `true` enables ticket validator debug messages