IMPORTANT: The browser must support HTTP Kerberos SPNEGO. For example, Firefox or Internet Explorer.
For Firefox access the low level configuration page by loading the about:config page. Then go to the network.negotiate-auth.trusted-uris preference and add the hostname or the domain of the web server that is HTTP Kerberos SPNEGO protected (if using multiple domains and hostname use comma to separate them).
IMPORTANT: The curl version must support GSS, run curl -V.
$ curl -V curl 7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3 Protocols: tftp ftp telnet dict ldap http file https ftps Features: GSS-Negotiate IPv6 Largefile NTLM SSL libz
Login to the KDC using kinit and then use curl to fetch protected URL:
$ kinit Please enter the password for tucu@LOCALHOST: $ curl --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt http://$(hostname -f):8080/hadoop-auth-examples/kerberos/who Enter host password for user 'tucu': Hello Hadoop Auth Examples!
The --negotiate option enables SPNEGO in curl.
The -u : option is required but the user ignored (the principal that has been kinit-ed is used).
The -b and -c are use to store and send HTTP Cookies.
Use the AuthenticatedURL class to obtain an authenticated HTTP connection:
...
URL url = new URL("http://localhost:8080/hadoop-auth/kerberos/who");
AuthenticatedURL.Token token = new AuthenticatedURL.Token();
...
HttpURLConnection conn = new AuthenticatedURL().openConnection(url, token);
...
conn = new AuthenticatedURL().openConnection(url, token);
...
Download Hadoop-Auth’s source code, the examples are in the src/main/examples directory.
Edit the hadoop-auth-examples/src/main/webapp/WEB-INF/web.xml and set the right configuration init parameters for the AuthenticationFilter definition configured for Kerberos (the right Kerberos principal and keytab file must be specified). Refer to the Configuration document for details.
Create the web application WAR file by running the mvn package command.
Deploy the WAR file in a servlet container. For example, if using Tomcat, copy the WAR file to Tomcat’s webapps/ directory.
Start the servlet container.
Try accessing protected resources using curl. The protected resources are:
$ kinit Please enter the password for tucu@LOCALHOST: $ curl http://localhost:8080/hadoop-auth-examples/anonymous/who $ curl http://localhost:8080/hadoop-auth-examples/simple/who?user.name=foo $ curl --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt http://$(hostname -f):8080/hadoop-auth-examples/kerberos/who
$ kinit Please enter the password for tucu@LOCALHOST: $ cd examples $ mvn exec:java -Durl=http://localhost:8080/hadoop-auth-examples/kerberos/who .... Token value: "u=tucu,p=tucu@LOCALHOST,t=kerberos,e=1295305313146,s=sVZ1mpSnC5TKhZQE3QLN5p2DWBo=" Status code: 200 OK You are: user[tucu] principal[tucu@LOCALHOST] ....