Skip to content

Conversation

@raccoonback
Copy link
Contributor

@raccoonback raccoonback commented Jun 23, 2025

Motivation

This PR adds support for SPNEGO (Kerberos) authentication to HttpClient, addressing #3079.
SPNEGO is widely used for HTTP authentication in enterprise environments, particularly those based on Kerberos.

Changes

SpnegoAuthProvider

Provides SPNEGO authentication by generating a Kerberos-based token and attaching it to the Authorization header of outgoing HTTP requests.

JaasAuthenticator

Provides a pluggable way to perform JAAS-based Kerberos login, making it easy to integrate with various authentication backends.

HttpClient.spnego(...) API

Adds a new API to configure SPNEGO authentication for HttpClient instances.

HttpClient client = HttpClient.create()
    .spnego(SpnegoAuthProvider.create(new JaasAuthenticator("KerberosLogin")));

client.get()
      .uri("http://protected.example.com/")
      .responseSingle((res, content) -> content.asString())
      .block();

jaas.conf

A JAAS(Java Authentication and Authorization Service) configuration file in Java for integrating with authentication backends such as Kerberos.

KerberosLogin {
    com.sun.security.auth.module.Krb5LoginModule required
    client=true
    useKeyTab=true
    keyTab="/path/to/test.keytab"
    principal="test@EXAMPLE.COM"
    doNotPrompt=true
    debug=true;
};

krb5.conf

krb5.conf is a Kerberos client configuration file used to define how the client locates and communicates with the Kerberos Key Distribution Center (KDC) for authentication.

[libdefaults]
    default_realm = EXAMPLE.COM
[realms]
    EXAMPLE.COM = {
        kdc = kdc.example.com
    }
[domain_realms]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

How It Works

  • When a server responds with 401 Unauthorized and a WWW-Authenticate: Negotiate header,
    the client automatically generates a SPNEGO token using the Kerberos ticket and resends the request with the appropriate Authorization header.
  • The implementation is based on Java's GSS-API and is compatible with standard Kerberos environments.

Environment Configuration

Requires proper JAAS (jaas.conf) and Kerberos (krb5.conf) configuration.
See the updated documentation for example configuration files and JVM options.

Additional Notes

  • The SpnegoAuthProvider allows for easy extension and testing by supporting custom authenticators and GSSManager injection.
  • The feature is fully compatible with Java 1.6+ and works on both Unix and Windows environments.

@raccoonback
Copy link
Contributor Author

I tested Kerberos authentication using the krb5 available at https://formulae.brew.sh/formula/krb5.

@raccoonback raccoonback force-pushed the issue-3079 branch 5 times, most recently from 19ccf13 to 090e1c2 Compare June 26, 2025 06:49
@raccoonback raccoonback changed the title Support SPNEGO (Kerberos) Authentication in HttpClient Support SPNEGO Authentication in HttpClient Jun 27, 2025
@raccoonback raccoonback force-pushed the issue-3079 branch 3 times, most recently from a6efd89 to 96aa2ba Compare July 1, 2025 08:57
Comment on lines 31 to 92
public class JaasAuthenticator implements SpnegoAuthenticator {

private final String contextName;

/**
* Creates a new JaasAuthenticator with the given context name.
*
* @param contextName the JAAS login context name
*/
public JaasAuthenticator(String contextName) {
this.contextName = contextName;
}

/**
* Performs a JAAS login using the configured context name and returns the authenticated Subject.
*
* @return the authenticated JAAS Subject
* @throws LoginException if login fails
*/
@Override
public Subject login() throws LoginException {
LoginContext context = new LoginContext(contextName);
context.login();
return context.getSubject();
}
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It logs in using the specified JAAS login context name and returns the authenticated Subject object.

Comment on lines 449 to 459
HttpClientOperations operations = connection.as(HttpClientOperations.class);
if (operations != null && handler.spnegoAuthProvider != null) {
int statusCode = operations.status().code();
HttpHeaders headers = operations.responseHeaders();
if (handler.spnegoAuthProvider.isUnauthorized(statusCode, headers)) {
handler.spnegoAuthProvider.invalidateCache();
}
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If a SPNEGO authentication expiration response is received via the HTTP response, the authentication header value is cleared.

Comment on lines +555 to +605
if (spnegoAuthProvider != null) {
return spnegoAuthProvider.apply(ch, ch.address())
.then(
Mono.defer(
() -> Mono.from(requestWithBodyInternal(ch))
)
);
}

return requestWithBodyInternal(ch);
}

private Publisher<Void> requestWithBodyInternal(HttpClientOperations ch) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If SPNEGO authentication is configured through the HttpClient, authentication is attempted before sending the request.

Comment on lines 113 to 185
if (verifiedAuthHeader != null) {
request.header(HttpHeaderNames.AUTHORIZATION, verifiedAuthHeader);
return Mono.empty();
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If a valid authentication token already exists, it is reused.

Comment on lines 118 to 202
return Mono.fromCallable(() -> {
try {
return Subject.doAs(
authenticator.login(),
(PrivilegedAction<byte[]>) () -> {
try {
byte[] token = generateSpnegoToken(address.getHostName());
String authHeader = SPNEGO_HEADER + " " + Base64.getEncoder().encodeToString(token);

verifiedAuthHeader = authHeader;
request.header(HttpHeaderNames.AUTHORIZATION, authHeader);
return token;
}
catch (GSSException e) {
throw new RuntimeException("Failed to generate SPNEGO token", e);
}
}
);
}
catch (LoginException e) {
throw new RuntimeException("Failed to login with SPNEGO", e);
}
})
.subscribeOn(boundedElastic())
.then();
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After obtaining Kerberos credentials via JAAS login, a SPNEGO token for the target server is generated using the GSS-API, and the Authorization: Negotiate <token> header is added to the request.

@raccoonback raccoonback force-pushed the issue-3079 branch 2 times, most recently from 8fcac3f to a77c0a5 Compare July 5, 2025 03:43
if (newState == HttpClientState.RESPONSE_RECEIVED) {
HttpClientOperations operations = connection.as(HttpClientOperations.class);
if (operations != null && handler.spnegoAuthProvider != null) {
if (shouldRetryWithSpnego(operations)) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-authenticates with SPNEGO if necessary.

Comment on lines +785 to +786
if (throwable instanceof SpnegoRetryException) {
return true;
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Configures it to retry even if a SpnegoRetryException occurs.

@raccoonback
Copy link
Contributor Author

@violetagg
Hello!
Please check this PR when you have a chance. 😃

@wendigo
Copy link

wendigo commented Jul 23, 2025

This is so great! Looking forward to get this in :)

@wendigo
Copy link

wendigo commented Jul 23, 2025

I can provide some guidance around APIs and configuration. Not every kerberos-enabled client uses JAAS, therefore the direct Subject/SPNEGO token support should be provided

@raccoonback
Copy link
Contributor Author

@wendigo
Hello!
Thank you for the great point. 😀

I was thinking of allowing users to implement the SpnegoAuthenticator interface, similar to JaasAuthenticator, to support custom authentication logic if needed.

If I understood you correctly, you're suggesting that we should provide a way for users to directly supply a Subject, as in the example below:

public class DirectSubjectAuthenticator implements SpnegoAuthenticator {

    // ...
    private Subject subject;

    @Override
    public Subject login() throws LoginException {
        return subject;
    }

    // ...
}

Would you be able to share a more concrete example or use case?
It would help refine the design in the right direction.

@wendigo
Copy link

wendigo commented Jul 24, 2025

Sure @raccoonback.

I'd like to use reactor-netty in the trino CLI/JDBC/client libraries.

We support delegated/constrained/unconstrained kerberos authentication. Relevant code is here:

https://github.com/trinodb/trino/tree/master/client/trino-client/src/main/java/io/trino/client/auth/kerberos

This is how we add it to the okhttp: https://github.com/trinodb/trino/blob/master/client/trino-client/src/main/java/io/trino/client/auth/kerberos/SpnegoHandler.java

Configurability is important as we expose configuration that allows the user to pass remote service name, service principal name, whether to canonicalize hostname: https://github.com/trinodb/trino/blob/master/client/trino-client/src/main/java/io/trino/client/auth/kerberos/SpnegoHandler.java#L50C5-L54C48

@raccoonback
Copy link
Contributor Author

@violetagg
I think supporting not only JAAS-based authentication but also allowing the user to provide a GSSCredential directly could improve configurability and flexibility.
This would be especially useful in environments where JAAS is not preferred or where credentials need to be managed programmatically.
What do you think about this direction?

cc. @wendigo

@violetagg
Copy link
Member

violetagg commented Jul 28, 2025 via email

@raccoonback
Copy link
Contributor Author

@wendigo
I've added GSSCredential-based SPNEGO authentication and support for service name and canonical hostname configuration.
Thank you for the suggestion.

Signed-off-by: raccoonback <kosb15@naver.com>
Signed-off-by: raccoonback <kosb15@naver.com>
Signed-off-by: raccoonback <kosb15@naver.com>
… authentication

Signed-off-by: raccoonback <kosb15@naver.com>
Signed-off-by: raccoonback <kosb15@naver.com>
Signed-off-by: raccoonback <kosb15@naver.com>
Comment on lines +480 to +486
private boolean shouldRetryWithSpnego(HttpClientOperations operations) {
int statusCode = operations.status().code();
HttpHeaders headers = operations.responseHeaders();

return handler.spnegoAuthProvider.isUnauthorized(statusCode, headers)
&& handler.spnegoAuthProvider.canRetry();
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the resource server responds with a requirement for SPNEGO authentication, the client will retry the authentication.

Comment on lines +499 to +508
private void retryWithSpnego(HttpClientOperations operations) {
handler.spnegoAuthProvider.invalidateTokenHeader();
handler.spnegoAuthProvider.incrementRetryCount();

if (log.isDebugEnabled()) {
log.debug(format(operations.channel(), "Triggering SPNEGO re-authentication"));
}

sink.error(new SpnegoRetryException());
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The previously issued SPNEGO Negotiate Token is cleared, and a reissue attempt is made.

Comment on lines +73 to +91
@Override
public GSSContext createContext(String serviceName, String remoteHost) throws Exception {
LoginContext lc = new LoginContext(loginContext);
lc.login();
Subject subject = lc.getSubject();

return Subject.doAs(subject, (PrivilegedExceptionAction<GSSContext>) () -> {
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName(serviceName + "/" + remoteHost, GSSName.NT_HOSTBASED_SERVICE);
GSSContext context = manager.createContext(
serverName,
new Oid("1.3.6.1.5.5.2"), // SPNEGO
null,
GSSContext.DEFAULT_LIFETIME
);
context.requestMutualAuth(true);
return context;
});
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Authentication is performed based on JAAS.

Comment on lines +115 to +166
public static final class Builder {
private final SpnegoAuthenticator authenticator;
private int unauthorizedStatusCode = 401;
private String serviceName = "HTTP";
private boolean resolveCanonicalHostname;

private Builder(SpnegoAuthenticator authenticator) {
this.authenticator = authenticator;
}

/**
* Sets the HTTP status code that indicates authentication failure.
*
* @param statusCode the status code (default: 401)
* @return this builder
*/
public Builder unauthorizedStatusCode(int statusCode) {
this.unauthorizedStatusCode = statusCode;
return this;
}

/**
* Sets the service name for the service principal.
*
* @param serviceName the service name (default: "HTTP")
* @return this builder
*/
public Builder serviceName(String serviceName) {
this.serviceName = serviceName;
return this;
}

/**
* Sets whether to resolve canonical hostname.
*
* @param resolveCanonicalHostname true to resolve canonical hostname (default: false)
* @return this builder
*/
public Builder resolveCanonicalHostname(boolean resolveCanonicalHostname) {
this.resolveCanonicalHostname = resolveCanonicalHostname;
return this;
}

/**
* Builds the SpnegoAuthProvider instance.
*
* @return a new SpnegoAuthProvider
*/
public SpnegoAuthProvider build() {
return new SpnegoAuthProvider(authenticator, unauthorizedStatusCode, serviceName, resolveCanonicalHostname);
}
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The HTTP client receives the options required for SPNEGO authentication:

  1. HTTP status to catch the authentication required error response from the resource server
  2. Service principal name
  3. Whether to handle canonical hostname

Comment on lines +216 to +222
private String resolveHostName(InetSocketAddress address) {
String hostName = address.getHostName();
if (resolveCanonicalHostname) {
hostName = address.getAddress().getCanonicalHostName();
}
return hostName;
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is handled as the canonical hostname.

Comment on lines +235 to +258
private byte[] generateSpnegoToken(String hostName) throws Exception {
if (hostName == null || hostName.trim().isEmpty()) {
throw new IllegalArgumentException("Host name cannot be null or empty");
}

GSSContext context = null;
try {
context = authenticator.createContext(serviceName, hostName.trim());
return context.initSecContext(new byte[0], 0, 0);
}
finally {
if (context != null) {
try {
context.dispose();
}
catch (GSSException e) {
// Log but don't propagate disposal errors
if (log.isDebugEnabled()) {
log.debug("Failed to dispose GSSContext", e);
}
}
}
}
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generates a SPNEGO Negotiate token for the given host name.

@raccoonback
Copy link
Contributor Author

@violetagg
Hello.
I would appreciate it if you could review this PR.
Thanks!

@violetagg
Copy link
Member

@violetagg Hello. I would appreciate it if you could review this PR. Thanks!

I'm just returning fro vacation, will check it in the next days or so

@raccoonback
Copy link
Contributor Author

@violetagg
Hello.
I would appreciate it if you could review this PR.
Thanks!

@violetagg
Copy link
Member

I will check this one ... just need to finalise some other tasks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants