Java – Kerberos authentication from the custom servlet


I do the below steps to get the security token from browser for Single Sign on authentication.

I am able to find the Token from http header. My question is:
a) How do I verify this token with active directory?
b) How do I find username from this token?

While googling it seems Java API has Kerberos5 login module to do what I was expecting. But almost all pages lacks simple examples.

  1. The Web client accesses a AS Java resource with a GET request.
  2. The AS Java sends back a 401 response code (unauthorized) with a request to initiate SPNego authentication by setting the HTTP header “WWW-Authenticate” to “Negotiate”.
  3. The Web client recognizes that the AS Java host is a member of the Kerberos Realm and procures a Kerberos Client/Server Session Ticket for the AS Java from the KDC.
  4. The Web client then sends the Kerberos Client/Server Session Ticket to the AS Java wrapped as a SPNego token in the HTTP authorization header.
  5. The SPNegoLoginModule reads the token from the HTTP request and feeds the Kerberos implementation of the JDK with it.
  6. The result is either successful client authentication or failure when the client request is rejected or another roundtrip to the KDC is necessary. In the case of failure, the Kerberos JDK implementation of the AS Java generates and sends back to the Web client an output token. The output token is wrapped as a SPNego token and sent in the HTTP authorization header.

Any help would be appreciated.

Best Solution

There is no response for long time. Found answer myself from various site on the internet. Documented my experience in below link: