(Quick Reference)

3 Configuration - Reference Documentation

Authors: Burt Beckwith

Version: 1.0.0

3 Configuration

There are a few configuration options for the Kerberos plugin.

The plugin uses the Spring Security Kerberos extension.

All of these property overrides must be specified in grails-app/conf/Config.groovy using the grails.plugin.springsecurity suffix, for example
grails.plugin.springsecurity.kerberos.debug = true

There are two required properties:

kerberos.ticketValidator.servicePrincipalnone, requiredthe web application service principal, e.g. HTTP/www.example.com@EXAMPLE.COM
kerberos.ticketValidator.keyTabLocationnone, requiredthe URL to the location of the keytab file containing the service principal's credentials, e.g. file:///etc/http-web.keytab

and some optional properties:

kerberos.activetrueset to false to disable the plugin
kerberos.client.debugfalseif true enables debug logs for the kerberos client bean
kerberos.configLocationnullThe location of the Kerberos config file (specify the path to the file, but omit "file://", e.g. "c:/krb5.conf"). Leave unset to use the default location (e.g. /etc/krb5.conf, c:winntkrb5.ini, /etc/krb5/krb5.conf)
kerberos.debugfalseif true enables debug logs for the kerberosConfig bean
kerberos.skipIfAlreadyAuthenticatedtrueif true skip SpnegoAuthenticationProcessingFilter processing if already authenticated
kerberos.spnegoEntryPointForwardUrlnullif set (e.g. '/login/auth') the EntryPoint will forward there in addition to setting the WWW-Authenticate header
kerberos.successHandler.headerName'WWW-Authenticate'the name of the header to set following successful authentication
kerberos.successHandler.headerPrefix'Negotiate 'the prefix for the encoded response token value
kerberos.ticketValidator.debugfalseif true enables debug logs for the ticketValidator bean
kerberos.ticketValidator.holdOnToGSSContextfalseif true, hold on to the GSS security context, otherwise call dispose() immediately