Setting username programatically,instead of prompt, with httpclient\kerberos

问题

I have a linux\java6 client that will authenticate to sharepoint2010 with KERBEROS and then send HTTP REST web services using Apache Commons HttpClient 4.2

If I run from command line "kinit myuser@mydomain" before connecting my client runs smoothely.

my problem is that I if i dont run kinit , I get prompted for a username .

how do I authenticate programatically without being prompted for a username and without having to run command line programs?

(I created and keytab and defined it in login.conf, so that takes care of the password prompt but not of the user promt)

public static void main(String[] args) throws Exception {

    System.setProperty("java.security.auth.login.config", "login.conf");
    System.setProperty("java.security.krb5.conf", "krb5.conf");
    System.setProperty("sun.security.krb5.debug", "true");
    System.setProperty("javax.security.auth.useSubjectCredsOnly","false");

    DefaultHttpClient httpclient = new DefaultHttpClient();
    try {
        httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, new SPNegoSchemeFactory());

        Credentials use_jaas_creds = new Credentials() {

            public String getPassword() {
                return null;
            }

            public Principal getUserPrincipal() {
                return null;
            }

        };

        httpclient.getCredentialsProvider().setCredentials(
                new AuthScope(null, -1, null),
                use_jaas_creds);

        HttpUriRequest request = new HttpGet("http://kerberoshost/");
        HttpResponse response = httpclient.execute(request);
        HttpEntity entity = response.getEntity();

        System.out.println("----------------------------------------");
        System.out.println(response.getStatusLine());
        System.out.println("----------------------------------------");
        if (entity != null) {
            System.out.println(EntityUtils.toString(entity));
        }
        System.out.println("----------------------------------------");

        // This ensures the connection gets released back to the manager
        EntityUtils.consume(entity);

    } finally {
        // When HttpClient instance is no longer needed,
        // shut down the connection manager to ensure
        // immediate deallocation of all system resources
        httpclient.getConnectionManager().shutdown();
    }
}

回答1:

You have to provide the principal name in addition to the keytab file to get a fully transparent client Kerberos authentication (kinit):

 client {
   com.sun.security.auth.module.Krb5LoginModule required
     useKeyTab=true
     storeKey=true
     keyTab=/path/to/userKeytab
     principal="userName";
 };

来源：https://stackoverflow.com/questions/10923283/setting-username-programatically-instead-of-prompt-with-httpclient-kerberos