Access a SharePoint website fom a java Application with Kerberos authentication

Question

I am trying to access a SharePont website fom a java Application. The SharePoint server prefers Kerberos authentication. Can you please provide an example for just the implementation of Kerberos authentication?

Answer 1

For Kerberos setup, I know of 3 persons who between them knows all there is to know about Kerb: Spence Harbar, Bob Fox and Tom Wisnowski.

Spence is also brewing with a Kerberos wizard to setup Kerb and export setup scripts.

Check out his blog here: http://www.harbar.net/

Tom Wiznowski has sent out a white paper. http://my/sites/tomwis/Shared%20Documents/Configuring%20Kerberos%20for%20SharePoint.docx

Joel Olson got a good article here: http://www.sharepointjoel.com/Lists/Posts/Post.aspx?ID=2

But when the above is said, SharePoint only recommends Kerb for when the company already uses this. You should not install Kerberos on your company network just because of SharePoint. Kerberos is complex to set up and even though it generally is considered faster than NTLM, this is only true when you reach a certain limit of simultanious users on your site. For a low traffic site, the huge tokens that Kerberos send across the network actually makes it slower than NTLM.

Sure there is some functionality that will only work with Kerberos (rss feed, cubes in excel services, authentication of web service calls in custom code due to double hops) but trust me when i say that NTLM will do a very good job of running your MOSS also.

When the above is said, could you please specify what kind of integration you are trying to achieve from your Java application?

Are you just trying to call the web service layers of SharePoint?

hth Anders Rask

Answer 2

So just to help you broaden your search for answers a bit, there's nothing SharePoint-specific about the Kerberos authentication used here. In fact SharePoint doesn't really have it's own authentication mechanisms (at least assuming we're talking about WSS 3/MOSS here). It just relies on the underlying ASP.NET/IIS authentication capabilities.

Sooo, if you're running your Java ausing a modern JDK, you'll probably have an easy time. See the docs on HTTP authentication mechanisms. There's some nice code snippets in there. One of which I'll reproduce for reference here. Really though, check out the link.

import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.Authenticator;
import java.net.PasswordAuthentication;
import java.net.URL;

public class RunHttpSpnego {

    static final String kuser = "username"; // your account name
    static final String kpass = "password"; // your password for the account

    static class MyAuthenticator extends Authenticator {
        public PasswordAuthentication getPasswordAuthentication() {
            // I haven't checked getRequestingScheme() here, since for NTLM
            // and Negotiate, the usrname and password are all the same.
            System.err.println("Feeding username and password for " + getRequestingScheme());
            return (new PasswordAuthentication(kuser, kpass.toCharArray()));
        }
    }

    public static void main(String[] args) throws Exception {
        Authenticator.setDefault(new MyAuthenticator());
        URL url = new URL(args[0]);
        InputStream ins = url.openConnection().getInputStream();
        BufferedReader reader = new BufferedReader(new InputStreamReader(ins));
        String str;
        while((str = reader.readLine()) != null)
            System.out.println(str);
    }
}

Answer 3

Here's an example from the java docs of the open source SPNEGO HTTP Servlet Filter library.

The library has a client can connect to a web server that has integrated windows authentication turned on.

The project also has examples on how to setup your environment for Kerberos/SPNEGO authentication.

 public static void main(final String[] args) throws Exception {
     System.setProperty("java.security.krb5.conf", "krb5.conf");
     System.setProperty("sun.security.krb5.debug", "true");
     System.setProperty("java.security.auth.login.config", "login.conf");

     SpnegoHttpURLConnection spnego = null;

     try {
         spnego = new SpnegoHttpURLConnection("spnego-client", "dfelix", "myp@s5");
         spnego.connect(new URL("http://medusa:8080/index.jsp"));

         System.out.println(spnego.getResponseCode());

     } finally {
         if (null != spnego) {
             spnego.disconnect();
         }
     }
 }

Answer 4

I am also looking forward to implement this but we can't pass user name/password.We want to use same credentials which were used to authenticate java application already.