How to use multiple SPNs when using spring-security SPNEGO

2
votes

I am using spring-security 3.0.2.RELEASE with spring-security-kerberos-core 1.0.0.M2 to implement SPNEGO based authentication.

The server has more than one valid DNS name. One refers to the machine itself (machine.domain), the other refers to the application (app.domain). Currently there is no reverse proxy set up.

I need to ensure that SPNEGO works for both valid DNS names. As it is, I have the machine name set up as the SPN. If I use IE7 to connect to the application, it works to connect to the machine name, but not the application name (HTTP 401).

I am using the SunJaasKerberosTicketValidator to validate tickets, but it only allows for one SPN to be configured at a time.

How do I configure my application to work with multiple SPNs? Do the SPNs just have to be added to the list with setspn? Or do I need to set up multiple ticket validators?

My question is very similar to this one (which was unanswered): http://forum.spring.io/forum/spring-projects/security/122250-spring-security-3-kerberos-spn

Thanks so much,

James

2
springspring-securitykerberosspnego
It turns out that SPNs added using SetSPN will automatically start working even with the old keytab. I am going to award the bounty to Pavel, since his approach does sound like it would work if it was necessary to use more than one SPN from the server side.jmh
I am still looking for more documentation that describes how this is supposed to work and if it is supported.jmh

2 Answers

1
votes

Just a quick thought:

You can define two SunJaasKerberosTicketValidator instances, each for its domain and then implement your own KerberosTicketValidator which will delegate to the underlying JAAS validator based on the HTTP request.

You can get to the request from the validator if you use RequestContextListener:

HttpServletRequest request = (HttpServletRequest) ((ServletWebRequest) 
        RequestContextHolder.currentRequestAttributes()).getNativeRequest();
0
votes

Pavel is right, just in case of ClassCastException try:

RequestAttributes requestAttributes = RequestContextHolder.currentRequestAttributes();
HttpServletRequest request = ((ServletRequestAttributes) requestAttributes).getRequest()