After switching to Spring-Boot 3, the Kerberos connection no longer worked. After lengthy analysis and debugging, it turned out that the problem was not the Kerberos API (with its encryption etc.), but much simpler: there is a problem if the absolute path of the keytab file has a space.
Here is my analysis:
As in the textbook, the keytab location is passed to the validator as a resource...
SunJaasKerberosTicketValidator validator = new SunJaasKerberosTicketValidator(); validator.setKeyTabLocation(bssSecurityConfigurationProperties.getKeyTabLocationAsResource());
After the settings, the method #afterPropertiesSet() is called in the SunJaasKerberosTicketValidator... BUT there the following sucrile is made:
String keyTabLocationAsString = this.keyTabLocation.getURL().toExternalForm(); if (keyTabLocationAsString.startsWith("file:")) { keyTabLocationAsString = keyTabLocationAsString.substring(5); }
getURL().toExternalForm() returns "%20" instead of " "...
But in the depths of the Kerberos API, more precisely in the class: sun.security.krb5.internal.ktab.KeyTab the broken URL file path is used as a normal file path:
private KeyTab(String filename) { tabName = filename; try { lastModified = new File(tabName).lastModified(); try (KeyTabInputStream kis = new KeyTabInputStream(new FileInputStream(filename))) { load(kis); } ....
IMHO: I think the error is in the lines in the #afterPropertiesSet() method. The keytab file should always be in the local file system. That is why you should not work with the tinkered URL file path.
As far as I know, a path such as "abc%20xyz/edf ghi/my.keytab" is also possible under Linux. This should also work properly in the end.
Currently I'm patching the problem by using the deprecated constructor of new URL(String), but that can't be the solution for a long time.
Many thanks for your help in advance...
Greetings Clemens
After switching to Spring-Boot 3, the Kerberos connection no longer worked. After lengthy analysis and debugging, it turned out that the problem was not the Kerberos API (with its encryption etc.), but much simpler: there is a problem if the absolute path of the keytab file has a space.
Here is my analysis:
As in the textbook, the keytab location is passed to the validator as a resource...
SunJaasKerberosTicketValidator validator = new SunJaasKerberosTicketValidator(); validator.setKeyTabLocation(bssSecurityConfigurationProperties.getKeyTabLocationAsResource());
After the settings, the method #afterPropertiesSet() is called in the SunJaasKerberosTicketValidator... BUT there the following sucrile is made:
String keyTabLocationAsString = this.keyTabLocation.getURL().toExternalForm(); if (keyTabLocationAsString.startsWith("file:")) { keyTabLocationAsString = keyTabLocationAsString.substring(5); }
getURL().toExternalForm() returns "%20" instead of " "...
But in the depths of the Kerberos API, more precisely in the class: sun.security.krb5.internal.ktab.KeyTab the broken URL file path is used as a normal file path:
private KeyTab(String filename) { tabName = filename; try { lastModified = new File(tabName).lastModified(); try (KeyTabInputStream kis = new KeyTabInputStream(new FileInputStream(filename))) { load(kis); } ....
IMHO: I think the error is in the lines in the #afterPropertiesSet() method. The keytab file should always be in the local file system. That is why you should not work with the tinkered URL file path. As far as I know, a path such as "abc%20xyz/edf ghi/my.keytab" is also possible under Linux. This should also work properly in the end.
Currently I'm patching the problem by using the deprecated constructor of new URL(String), but that can't be the solution for a long time.
Many thanks for your help in advance... Greetings Clemens