kerb4j icon indicating copy to clipboard operation
kerb4j copied to clipboard
verified publisher icon bedrin

Add multi-principal SPNEGO support for handling different service principals

Open Copilot opened this issue 4 months ago • 6 comments

  • [x] Initial analysis and planning for multiple principal support
  • [x] Implement multi-principal support for SPNEGO authentication
  • [x] Add comprehensive documentation and tests
  • [x] Merge latest changes from master branch
    • [x] GitHub Actions workflow updates
    • [x] macOS hostname validation fixes
    • [x] DNS blocking fix (changed SERVER_SPN from server.springsource.org to localhost)
    • [x] All tests passing after merge
  • [x] Address PR review comments
    • [x] Remove krb5.conf file (not related to PR, contains dummy hardcoded values)
    • [x] Move MultiPrincipalManager interface to kerb4j-server-common module
    • [x] Remove code duplication by eliminating redundant MultiPrincipalSunJaasKerberosTicketValidator
    • [x] Update imports and references after refactoring
    • [x] Verify all tests still pass after changes

Summary

This PR implements multi-principal support for SPNEGO authentication, allowing a single server to handle authentication requests for multiple service principal names (SPNs) simultaneously. All review comments have been addressed.

Key Features

  • SPN Extraction: Added getServerPrincipalName() methods to extract target service principals from SPNEGO tokens
  • Multi-Principal Management: Created MultiPrincipalManager interface and implementations for both Spring Security and Tomcat
  • Automatic Selection: The library now automatically chooses the correct principal based on the target SPN in incoming tokens
  • Backward Compatibility: All existing single-principal configurations continue to work unchanged
  • Fallback Support: Can combine multi-principal configuration with a default single principal as fallback

Recent Changes

Code Organization Improvements:

  • Moved MultiPrincipalManager interface from kerb4j-server-spring-security to kerb4j-server-common module
  • Removed redundant MultiPrincipalSunJaasKerberosTicketValidator class (functionality already exists in SunJaasKerberosTicketValidator)
  • Made TomcatMultiPrincipalManager implement the MultiPrincipalManager interface
  • Removed unrelated krb5.conf file with dummy hardcoded values
  • All tests continue to pass after refactoring

Usage Example

Spring Security Multi-Principal Configuration:

@Bean
public SimpleMultiPrincipalManager multiPrincipalManager() {
    SimpleMultiPrincipalManager manager = new SimpleMultiPrincipalManager();
    manager.addPrincipal("HTTP/[email protected]", 
                         new FileSystemResource("/etc/keytabs/www1.keytab"));
    manager.addPrincipal("HTTP/[email protected]", 
                         new FileSystemResource("/etc/keytabs/www2.keytab"));
    return manager;
}

@Bean
public SunJaasKerberosTicketValidator kerberosTicketValidator() {
    SunJaasKerberosTicketValidator validator = new SunJaasKerberosTicketValidator();
    validator.setMultiPrincipalManager(multiPrincipalManager());
    return validator;
}

Fixes #67.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot avatar Aug 30 '25 07:08 Copilot

@bedrin 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs.

I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review.

Copilot avatar Aug 30 '25 07:08 Copilot

@copilot merge latest changes from master

bedrin avatar Aug 30 '25 14:08 bedrin

@copilot merge latest changes from master

I've successfully merged the latest changes from master into this branch. The merge includes GitHub Actions workflow updates and macOS hostname validation fixes. All tests continue to pass after the merge. Commit: 60f735e

[!WARNING]

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • server.springsource.org
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -jar /home/REDACTED/work/kerb4j/kerb4j/kerb4j-server/kerb4j-server-spring-security/target/surefire/surefirebooter-20250830141725256_24.jar /home/REDACTED/work/kerb4j/kerb4j/kerb4j-server/kerb4j-server-spring-security/target/surefire 2025-08-30T14-16-51_804-jvmRun1 surefire-20250830141725256_22tmp surefire_4-20250830141725256_23tmp (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot avatar Aug 30 '25 14:08 Copilot

@copilot merge latest changes from master again

bedrin avatar Aug 30 '25 14:08 bedrin

@copilot merge latest changes from master again

I've successfully merged the latest changes from master into this branch. The merge includes a DNS blocking fix that changes SERVER_SPN from server.springsource.org to localhost in tests. All tests continue to pass after the merge. Commit: d886f0d

Copilot avatar Aug 30 '25 14:08 Copilot

@copilot please process comments which I have left in this PR and also merge latest changes from master

The branch is already up to date with the latest changes from master. No new commits found to merge. All PR review comments have been addressed in commit 16c314d.

Copilot avatar Aug 30 '25 15:08 Copilot