The Kerberos plugin adds
Kerberos single sign-on support to a Grails application that uses Spring Security. It depends on the
Spring Security Core plugin.
Once you have configured a Kerberos server (typically Microsoft Active Directory or MIT Kerberos) and have configured your Grails application(s) as clients, users who are have authenticated at the Kerberos server will be automatically authenticated as a user of your application(s) without requiring a password.
- Version 0.1
- released January 30, 2011
Configuring your Kerberos server is beyond the scope of this document. There are several options and this will most likely be done by IT staff. It's assumed here that you already have a running Kerberos server.
The plugin uses the
Kerberos/SPNEGO Spring Security extension and the most relevant information about it can be found
in this blog post.
There isn't much that you need to do in your application to be a Kerberos client. Just install this plugin, and configure the two required parameters and whatever optional parameters you want in
Config.groovy. These are described in detail in
Chapter 3 but typically you only need to set these properties
grails.plugins.springsecurity.kerberos.ticketValidator.servicePrincipal =
'HTTP/kerberos.server.name@KERBEROS.DOMAIN'grails.plugins.springsecurity.kerberos.ticketValidator.keyTabLocation =
'file:///path/to/your.keytab'UserDetailsService
Currently the only information that is retrieved from Kerberos is the username (plus the authentication status of course) so you'll need to have user and role data in your database corresponding to Kerberos users. Since you'll be authenticating externally you can either remove the password field from the user class and use a custom
UserDetailsService or just store dummy values in the password column to satisfy the not-null constraint.
There are a few configuration options for the Kerberos plugin.
The plugin uses the
Kerberos/SPNEGO Spring Security extension and the most relevant information about it can be found
in this blog post.
All of these property overrides must be specified in grails-app/conf/Config.groovy using the grails.plugins.springsecurity suffix, for example
grails.plugins.springsecurity.kerberos.debug = true
There are two required properties:
| Name | Default | Meaning |
|---|
| kerberos.ticketValidator.servicePrincipal | none, required | the web application service principal, e.g. HTTP/www.example.com@EXAMPLE.COM |
| kerberos.ticketValidator.keyTabLocation | none, required | the URL to the location of the keytab file containing the service principal's credentials, e.g. file:///etc/http-web.keytab |
and three optional properties:
| Name | Default | Meaning |
|---|
| kerberos.configLocation | null | The location of the Kerberos config file. Leave unset to use the default location (e.g. /etc/krb5.conf, c:winntkrb5.ini, /etc/krb5/krb5.conf) |
| kerberos.debug | false | if true enables debug logs from the Sun Kerberos Implementation |
| kerberos.ticketValidator.debug | false | if true enables ticket validator debug messages |
