Add Spring Security Kerberos

Move the Spring Security Kerberos Extension into Spring Security

Closes gh-17879

Author: rwinch

docs/modules/ROOT/assets/images/servlet/authentication/kerberos/drawio-kerb-cc1.png

@@ -0,0 +1,118 @@
+/*
+ * Copyright 2015 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.kerberos.docs;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.io.FileSystemResource;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.ProviderManager;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider;
+import org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider;
+import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient;
+import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator;
+import org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter;
+import org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+
+//tag::snippetA[]
+@Configuration
+@EnableWebSecurity
+public class WebSecurityConfig {
+
+	@Value("${app.service-principal}")
+	private String servicePrincipal;
+
+	@Value("${app.keytab-location}")
+	private String keytabLocation;
+
+	@Bean
+	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		KerberosAuthenticationProvider kerberosAuthenticationProvider = kerberosAuthenticationProvider();
+		KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider = kerberosServiceAuthenticationProvider();
+		ProviderManager providerManager = new ProviderManager(kerberosAuthenticationProvider,
+				kerberosServiceAuthenticationProvider);
+
+		http
+			.authorizeHttpRequests((authz) -> authz
+				.requestMatchers("/", "/home").permitAll()
+				.anyRequest().authenticated()
+			)
+			.exceptionHandling()
+				.authenticationEntryPoint(spnegoEntryPoint())
+				.and()
+			.formLogin()
+				.loginPage("/login").permitAll()
+				.and()
+			.logout()
+				.permitAll()
+				.and()
+			.authenticationProvider(kerberosAuthenticationProvider())
+			.authenticationProvider(kerberosServiceAuthenticationProvider())
+			.addFilterBefore(spnegoAuthenticationProcessingFilter(providerManager),
+					BasicAuthenticationFilter.class);
+			return http.build();
+	}
+
+	@Bean
+	public KerberosAuthenticationProvider kerberosAuthenticationProvider() {
+		KerberosAuthenticationProvider provider = new KerberosAuthenticationProvider();
+		SunJaasKerberosClient client = new SunJaasKerberosClient();
+		client.setDebug(true);
+		provider.setKerberosClient(client);
+		provider.setUserDetailsService(dummyUserDetailsService());
+		return provider;
+	}
+
+	@Bean
+	public SpnegoEntryPoint spnegoEntryPoint() {
+		return new SpnegoEntryPoint("/login");
+	}
+
+	public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
+			AuthenticationManager authenticationManager) {
+		SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
+		filter.setAuthenticationManager(authenticationManager);
+		return filter;
+	}
+
+	@Bean
+	public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() {
+		KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
+		provider.setTicketValidator(sunJaasKerberosTicketValidator());
+		provider.setUserDetailsService(dummyUserDetailsService());
+		return provider;
+	}
+
+	@Bean
+	public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() {
+		SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
+		ticketValidator.setServicePrincipal(servicePrincipal);
+		ticketValidator.setKeyTabLocation(new FileSystemResource(keytabLocation));
+		ticketValidator.setDebug(true);
+		return ticketValidator;
+	}
+
+	@Bean
+	public DummyUserDetailsService dummyUserDetailsService() {
+		return new DummyUserDetailsService();
+	}
+}
+//end::snippetA[]