Tag Archives: java - Page 2

Camel-K: Custom HTTP Client with Kerberos auth

I haven’t been able to do this using the Apache Camel HTTP component yet, so I put together a Processor to do it for me instead. To make this work we need a krb5.conf and login.conf file with settings for our domain.
Example krb5.conf

[libdefaults]
    default_realm = MYDOMAIN.SE

[realms]
    MYDOMAIN.SE = {
        kdc = kdc.mydomain.se
    }

Example Login.conf

com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
 doNotPrompt=false useTicketCache=true;
};

Camel flow:

public class MyFlow extends RouteBuilder {

  @Override
  public void configure() throws Exception {
    from("timer:myTimer?repeatCount=1")
          .process(new CustomHTTPClient())
          .log("${body}");                  
  }

  // Create a custom Authenticator
  static class MyAuthenticator extends Authenticator {
    public PasswordAuthentication getPasswordAuthentication() {
      return (new PasswordAuthentication("username", 
                                         "password".toCharArray()));
    }
  }

  // Camel Processor
  public static class CustomHTTPClient implements Processor {

    public void process(Exchange exchange) throws Exception {
      // Setup Kerberos authentication via Java VM options
      System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
      System.setProperty("java.security.auth.login.config", "/etc/login.conf");
      System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
      System.setProperty("sun.security.krb5.debug", "true"); // Debug logging 

      // Set a custom Authenticator
      Authenticator.setDefault(new MyAuthenticator());

      // Custom "HTTPClient"
      URL url = new URL("https://resource.mydomain.se/data");
      InputStream ins = url.openConnection().getInputStream();
      BufferedReader reader = new BufferedReader(new InputStreamReader(ins));
      String str = "";
      for (String line; (line = reader.readLine()) != null; str += line);

      // Set payload as message back to flow
      exchange.getIn().setBody(str);
    }
  }
}

Kamel run arguments:

kamel run MyFlow.java 
               --resource file:krb5.conf@/etc/krb5.conf 
               --resource file:login.conf@/etc/login.conf

Tested on Apache Camel K Runtime 1.16.0, Apache Camel 3.19.0, Minikube v1.29.0 and WSL2 Ubuntu 20.04.4 LTS

Apache Camel: Get properties from within a Processor

Getting properties from within a Processor needs interaction with the exchange object. This can be accomplished by the following code:

public static class MyProccessor implements Processor {

    public void process(Exchange exchange) throws Exception {
        String prop = exchange
                         .getContext()
                              .resolvePropertyPlaceholders("{{my.property}}");
    }
}

Tested on Apache Camel K Runtime 1.16.0, Apache Camel 3.19.0, Minikube v1.29.0 and WSL2 Ubuntu 20.04.4 LTS

Kerberos and Java – a test application

Every now and then I get an assignment that includes an application that should use Kerberos authentication for access to a resource of some sort. One of the first things I like to try out is to use the program below to see that I have got the correct credentials and that the resource is up and running. Because I rarely work with this I thought it would be best to put the code and instructions here:

1. First we create a krb5.conf file with the settings for the domain in question. There are a few ways to do this but I usually use the following way:

>kinit <user name> #Creates an entry in the auth table for that user
>klist #Displays all entrys in auth table.
Credentials cache: C:\Users\niklas\krb5cc_niklas

Default principal: niklas@MYDOMAIN.SE, 1 entry found.

[1]  Service Principal:  krbtgt/MYDOMAIN.SE@MYDOMAIN.SE
     Valid starting:     Jun 09,  2023 10:12:50
     Expires:            Jun 09,  2023 20:12:50

We can here see the domain to use: MYDOMAIN.SE. This will be used in the [realms] section of the krb5.conf file

Now we need the DNS/IP for a KDC to put in the [libdefaults] section

>nslookup -type=srv _kerberos._tcp.MYDOMAIN.SE

Server:  dns1.mydomain.se
Address:  192.168.10.1

_kerberos._tcp.MYDOMAIN.SE      SRV service location:
          priority       = 0
          weight         = 100
          port           = 88
          svr hostname   = kdc0093.mydomain.se
_kerberos._tcp.MYDOMAIN.SE      SRV service location:
          priority       = 0
          weight         = 100
          port           = 88
          svr hostname   = kdc0094.mydomain.se
_kerberos._tcp.MYDOMAIN.SE      SRV service location:
          priority       = 0
          weight         = 100
          port           = 88
          svr hostname   = kdc0099.mydomain.se

Here we can pick one and fill the krb5.conf file like below:

[libdefaults]
    default_realm = MYDOMAIN.SE

[realms]
    VGREGION.SE = {
        kdc = kdc0093.mydomain.se
    }

After this we also need a login.conf with some settings needed for the demo program
2. Login.conf

com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  doNotPrompt=false useTicketCache=true;
};

3. Now it is time for the program

import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.Authenticator;
import java.net.PasswordAuthentication;
import java.net.URL;

public class RunHttpKerberos {

    static final String kuser = "admin"; // Username
    static final String kpass = "admin"; // Password
    static final String kurl = "https://resource.mydomain.se/data"

    static class MyAuthenticator extends Authenticator {
        public PasswordAuthentication getPasswordAuthentication() {
            return (new PasswordAuthentication(kuser, kpass.toCharArray()));
        }
    }

    public static void main(String[] args) throws Exception {
        Authenticator.setDefault(new MyAuthenticator());
        URL url = new URL(kurl);
        InputStream ins = url.openConnection().getInputStream();
        BufferedReader reader = new BufferedReader(new InputStreamReader(ins));
        String str;
        while((str = reader.readLine()) != null)
            System.out.println(str);
    }
}

4. Compile and run the program with the following arguments

java 
-Djava.security.krb5.conf=krb5.conf 
-Djava.security.auth.login.config=login.conf 
-Djavax.security.auth.useSubjectCredsOnly=false 
RunHttpKerberos 

For DEBUG logging slap on a “-Dsun.security.krb5.debug=true”

If auth works you should see the resource printed in console

Tested om Java 1.8.0_352 and Windows 10