Using kerb4j and Spring Security, I can get PAC SIDs from a SPNEGO token (allowing my app to determine which authorities are granted in Active Directory for a user):
@Bean
public SpnegoAuthenticationProvider spnegoAuthenticationProvider() {
SpnegoAuthenticationProvider provider = new SpnegoAuthenticationProvider();
provider.setTicketValidator(sunJaasKerberosTicketValidator());
provider.setExtractGroupsUserDetailsService(authoritiesPopulator());
provider.setServerSpn(servicePrincipal);
return provider;
}
@Bean
public AuthoritiesPopulator authoritiesPopulator() {
return new AuthoritiesPopulator();
}
public class AuthoritiesPopulator implements AuthenticationUserDetailsService<SpnegoAuthenticationToken> {
@Override
public UserDetails loadUserDetails(SpnegoAuthenticationToken token) throws UsernameNotFoundException {
try {
SpnegoInitToken spnegoInitToken = new SpnegoInitToken(token.getToken());
SpnegoKerberosMechToken spnegoKerberosMechToken = spnegoInitToken.getSpnegoKerberosMechToken();
Pac pac = spnegoKerberosMechToken.getPac(token.getKerberosKeys());
List<SimpleGrantedAuthority> roles;
if (null == pac) {
roles = Collections.emptyList();
} else {
PacLogonInfo logonInfo = pac.getLogonInfo();
PacSid[] groupSids = logonInfo.getGroupSids();
roles = new ArrayList<>(groupSids.length);
for (PacSid pacSid : groupSids) {
if ("S-a-SID-NUNBER"
.equals(pacSid.toHumanReadableString())) {
roles.add(new SimpleGrantedAuthority("ADMIN"));
}
}
}
return new User(token.username(), "N/A", roles);
Unfortunately, kerb4j doesn't work with Spring Boot 3. I would like to use the official Spring Security Kerberos library since it has been updated for Spring Boot 3.
How do I get to the PAC SIDs using Spring Security Kerberos 2.0?
Here's what I've tried
The SpnegoAuthenticationProvider is a type provided by kerb4j. I couldn't find an equivalent type in Spring Security Kerberos. The closest I found was KerberosServiceAuthenticationProvider. I attempted to create that bean as follows:
public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() throws Exception {
KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
provider.setTicketValidator(sunJaasKerberosTicketValidator());
provider.setUserDetailsService(authoritiesPopulator());
return provider;
}
The problem is that the setUserDetailsService of KerberosServiceAuthenticationProvider does not accept an argument type of AuthenticationUserDetailsService. It accepts a UserDetailsService which defines a method loadUserDetails. That method takes a String argument rather than a SpnegoAuthenticationToken. So, the Spring framework will call my loadUserDetails implementation with a username String instead of the needed SpnegoAuthenticationToken.
Is this a work-in-progress and will be part of 2.1? Or can this done using 2.0?
