bedrin
Add pluggable Kerberos implementation support with Apache Kerby integration
This PR introduces a comprehensive integration layer that allows Kerb4J to support multiple Kerberos implementations, addressing the need for flexibility and reduced dependency on JDK-specific implementations.
Overview
Kerb4J now supports pluggable Kerberos backends through a Service Provider Interface (SPI) architecture. Users can choose between the traditional JDK GSS API implementation and the new Apache Kerby implementation based on their requirements.
Key Features
🏗️ Pluggable Architecture
- New
kerb4j-integration-apimodule with core interfaces (KerberosClient,KerberosContext,KerberosClientFactory) - Service discovery through Java SPI for automatic implementation detection
- Runtime implementation switching capability
🔧 Multiple Implementations
-
JDK Implementation (
kerb4j-integration-jdk): Wraps existingSpnegoClientfunctionality -
Apache Kerby Implementation (
kerb4j-integration-kerby): Pure Java, cross-platform alternative
🔄 Full Backward Compatibility
- Zero breaking changes - all existing code continues to work unchanged
- Optional integration layer - existing
SpnegoClientAPI remains available - Spring Security components fully supported
Usage Examples
Basic Usage with Auto-Discovery
// Automatically uses the first available implementation
KerberosClientFactory factory = KerberosClientProvider.getDefaultFactory();
KerberosClient client = factory.loginWithKeyTab("service/host", "/path/to/keytab");
try (KerberosContext context = client.createContext(url)) {
String authHeader = context.createTokenAsAuthroizationHeader();
// Use in HTTP requests
}
Explicit Implementation Selection
// Choose specific implementation
KerberosClientFactory jdkFactory = KerberosClientProvider.getFactory("JDK");
KerberosClientFactory kerbyFactory = KerberosClientProvider.getFactory("Apache Kerby");
KerberosClient jdkClient = jdkFactory.loginWithUsernamePassword("user", "pass");
KerberosClient kerbyClient = kerbyFactory.loginWithTicketCache("user@REALM");
Backward Compatibility
// Existing code works unchanged
SpnegoClient client = SpnegoClient.loginWithKeyTab("service/host", "/path/to/keytab");
// No changes needed to existing codebase
Maven Dependencies
<!-- Integration API -->
<dependency>
<groupId>com.kerb4j</groupId>
<artifactId>kerb4j-integration-api</artifactId>
<version>0.2.0</version>
</dependency>
<!-- JDK Implementation (traditional) -->
<dependency>
<groupId>com.kerb4j</groupId>
<artifactId>kerb4j-integration-jdk</artifactId>
<version>0.2.0</version>
</dependency>
<!-- Apache Kerby Implementation (pure Java) -->
<dependency>
<groupId>com.kerb4j</groupId>
<artifactId>kerb4j-integration-kerby</artifactId>
<version>0.2.0</version>
</dependency>
Implementation Status
| Feature | JDK Implementation | Apache Kerby Implementation |
|---|---|---|
| Username/Password Login | ✅ Complete | 🚧 Basic proof-of-concept |
| Keytab Login | ✅ Complete | 🚧 Basic proof-of-concept |
| Ticket Cache Login | ✅ Complete | 🚧 Basic proof-of-concept |
| Token Creation/Validation | ✅ Complete | 🚧 Basic proof-of-concept |
| Spring Security Integration | ✅ Complete | ✅ Compatible |
Benefits
- Flexibility: Choose implementation based on deployment requirements
- Platform Independence: Apache Kerby enables pure Java environments without JDK dependencies
- Future-Proofing: Easy to add new Kerberos implementations
- Zero Migration Cost: Existing codebases require no changes
- Enhanced Portability: Reduced dependency on JVM-specific implementations
Testing
- Comprehensive integration tests verify both implementations work correctly
- Spring Security compatibility tests ensure existing integrations remain functional
- Live demonstration program shows runtime implementation switching
- All existing tests continue to pass, ensuring no regressions
The Apache Kerby implementation is currently a functional proof-of-concept demonstrating the architecture's extensibility. Full Apache Kerby integration can be enhanced in future iterations based on community needs.
Fixes #71.
[!WARNING]
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
server.springsource.org
- Triggering command:
/usr/lib/jvm/temurin-17-jdk-amd64/bin/java -jar /home/REDACTED/work/kerb4j/kerb4j/kerb4j-server/kerb4j-server-spring-security/target/surefire/surefirebooter-20250830093602376_24.jar /home/REDACTED/work/kerb4j/kerb4j/kerb4j-server/kerb4j-server-spring-security/target/surefire 2025-08-30T09-35-40_822-jvmRun1 surefire-20250830093602376_22tmp surefire_4-20250830093602376_23tmp(dns block)If you need me to access, download, or install something from one of these locations, you can either:
- Configure Actions setup steps to set up my environment, which run before the firewall is enabled
- Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.
