1. Navigate to service pulls in all the dependencies you need for an application and does most of the setup for you. Choose either Gradle or Maven and the language you want to use.
2. Web container: Apache Tomcat 6.0 (Jetty and others will also work) Jersey libraries: Jersey 1.0.3 archive, which includes all the necessary libraries; Setting up the environment for Jersey. First, create a server run time for Tomcat 6.0 on Eclipse. This is the Web container for your RESTful Web application.

1. Spring Boot Disable Web Server
2. Spring Boot Apache Web Server Download

Sprint Boot web developers love DailyRazor! For over 15 years now we’ve supported the latest and popular web development technologies across multiple platforms. Java web developers loves us! JSP web developers love us. GWT web developers love us. Apache Struts developers love us! Spring MVC web developers love us! Apache Wicket web developers.

UPDATED on 23 October 2018:There is a follow-up post for this article with some additional notes, which came as a result of an email conversation with one reader, who also struggled with the quirks of Kerberos+AD+Linux+Apache combination but managed to make it work after all.

I was recently involved in configuration of Kerberos authentication for a newly deployed Apache web site, using mod_auth_kerb module. We have an Active Directory environment with the largest part of our users working on Windows 7+ computers, but the Apache web site was supposed to be running on a Linux host. I configured an Apache web site hosted on a Linux box to use Kerberos to transparently authenticate AD users connecting from Windows computers (IE and Chrome browsers). I also enabled support for both RC4 and AES256 Kerberos encryption methods, and this was the trickiest part of all. While we still support the older RC4 encryption for Kerberos in our environment because we have some legacy systems not capable of using AES encryption, it is a very good idea to ensure that all new installations support AES by default as its more secure. You can find the following statement in the official IETF description of the Microsoft implementation of the RC4 encryption for Kerberos:
It is thus RECOMMENDED not to use the RC4 encryption types defined in this document if alternative stronger encryption types, such as aes256-cts-hmac-sha1-96 [RFC3962], are available.

Overview of configuration steps

There are many Internet resources describing the configuration process for Apache + mod_auth_kerb + AD - just google for “Apache mod_auth_kerb AD” and you get tons of step-by-step instructions and guides. But in the end, I had to gather pieces of information from many different source, because there was not one guide which explained all Kerberos machinery, options and required configuration actions in sufficient details in one place. The most useful and comprehensive resources that I was able to find are listed in the end of this document.

The tested configuration process looks like that:

1. Prepare and write down the crucial configuration parameters which you will use in the next steps:
   • Apache web site FQDN (more details on this below)
   • Active Directory account to be used as the service account (service identity) for this web site
   • FQDNs of at least two AD domain controllers that you are going to use as the KDCs for the Linux box
   • The DNS name of you AD domain
2. Prepare Linux box:
   • Install krb5-user package - binaries required to configure the Linux server as a “service” per Kerberos protocol terminology
   • Install Apache 2
   • Install mod_auth_kerb Apache module
3. Run Windows tool ktpass on AD domain controller to generate and output to the console two secret keys (for AES256 and RC4 encryption methods, respectively) associated with the service account specially created in the AD to be used as the identity of the web server. At this step I deviate from most of the instructions and manuals published in the Internet, because I discard the keytab file generated by ktpass and just take the values for the secret key and key serial number (vno) that I copy from the console output of this command and use them to create required entries in the keytab file manually on the Linux box. The reason why I make it so complicated is because I found no way to generate the keytab file directly using the ktpass tool for AES cipher as either the secret key was wrong because of the salt or the key was valid but the SPN was wrong.
4. Run Windows tool setspn on AD domain controller to configure proper SPN attribute (Kerberos Service Principal Name) in the properties of the service account AD object.
5. Create a DNS record for the public FQDN of the web server (the one entered in the browser address bar). If you have a single web site on your web server then the simplest option is to make sure that the public URL of your site is the same as the FQDN of the server configured in the /etc/hosts configuration file, and create an A DNS record for this FQDN pointing directly to the server’s IP address. However, if you want to host two or more web sites on the save web server with different host headers, then the situation becomes complicated and you will have to properly configure DNS CNAME records and keytab file. One option in this case is to use the same service account identity for all web sites hosted on the web server, configure keytab file for the server’s own FQDN configured in the /etc/hosts file and create CNAME DNS aliases for your web sited pointing to the server’s FQDN. The browsers will perform DNS name canonization and will request Kerberos service tickets not for the CNAME addresses of the web sites, but for the server’s own FQDN.
6. On the Linux box, use ktutil tool (part of the krb5-user package) to create a new empty keytab file and then use its addent subcommand to add two entries for AES256 and RC4 encryption schemes using the secret keys output to the console by ktpass tool at step 3.
7. Configure host-wide Kerberos parameters for the krb5-user package by editing configuration file /etc/krb5.conf
8. Configure mod_auth_kerb Apache module parameters by editing the Apache web site configuration file (i.e., /ect/apache2/sites-enabled/000-default.conf) and adding Kerberos specific entries under the VirtualHost section.
9. Optionally enable the fall-back mechanism available in the mod_auth_kerb which allows clients which do not support Kerberos to use Basic HTTP authentication scheme instead (SECURITY WARNING! Do not enable this option unless you also enable AND force SSL/TLS for your web site.)
10. Make sure that the browsers on Windows client computers are configured to start Kerberos authentication with your web site automatically and send the cached Windows credentials (check Internet Explorer “Local intranet” zone settings) ¹.

Example configuration step-by-step

The example below has been tested on a freshly installed Ubuntu system in a mixed Windows 2008R2/2012R2 AD domain controllers environments.Change the URLs, accounts and domain names to match your own settings and it should probably work for you as well.
As we remember, from the Kerberos protocol point of view, there are three computers participating in the authentication process: KDC (domain controller), service (Apache web server) and client (Windows computer accessing the web site). In the table below, the second column specifies the computer where the configuration commands and actions for the current step must be executed. The third columns specifies whether this step is a command that you need to execute or some other type of action that you must carry out. Run all commands exactly as given in the table in Windows CMD or Linux shell prompt. I executed all Linux commands with root privileges (sudo su), but you can prefix each command with sudo if you like. Many of the command parameters and settings in the configuration files are case sensitive, so it is very important to use exactly the same case for each step as is used in the example below!

Our example is for the following fictitious configuration:

• AD domain DNS name: company.com
• AD domain controller 1: dc1.company.com
• AD domain controller 2: dc2.company.com
• Web server FQDN: webserver1.company.com
• Web site URL: http://webserver1.company.com²
• AD service account name (userPrincipalName): srvaccount1@company.com
• AD service account password³: THEpassword

krb5.conf

<Location>

Testing the results

If you correctly configured all components, you should be able to launch Internet Explorer, Edge or Chrome browser on a domain joined Windows machine and open http://webserver1.company.com without any password prompt. You can also verify if a Kerberos ticket was issued by the KDC (domain controller) to your client system to be used for authentication against the web server. Type the following command in the CMD prompt:

You should get the list of Kerberos tickets for various services that your system is talking to ¹. Find the ticket for http://webserver1.company.com and check the KerbTicket Encryption Type and Session Key Type fields. These two fields specify the encryption method that the KDC used for encrypting the issued service ticket and the requested encryption method that will be used for the session key between the client and the server, respectively ⁵.

Background information

How Kerberos authentication works

First of all, you have to define how your web site will be accessed by the clients from the DNS and IP address assignment point of view. There can be many possible configurations, and we have to know exactly how DNS records are configured and how IP connections from the clients to the web server are routed. The main thing to remember is that Kerberos clients (web browsers on Windows clients) use DNS lookups and special Kerberos protocol functionality to find out which AD account is the identity of the web server they are connecting to. In other words, they need to know the service account name for the web server in order to generate a valid Kerberos service ticket which can only be used by this particular account. The whole process looks like that:

• A user launches IE or Chrome browser on his Windows PC joined to the AD domain while being connected to the corporate network;
• He enters http://webserver.company.com in the browser address bar and presses Enter;
• The browser issues a DNS lookup for the hostname webserver.company.com;
• If the DNS server returns an A record with the IP address for webserver.company.com, it is considered to be the canonical DNS name of the web server. However if DNS replies with a CNAME (DNS alias) record for webserver.company.com and then resolves the alias to an A record with a different hostname anotherhost.company.com, then this second hostname will be considered to be the canonical DNS name of the web server, and all SPN lookups will be issued for that anotherhost.company.com FQDN and NOT for the original FQDN webserver.company.com entered in the address bar! This issue with CNAME aliases is often a major source of confusion, so it might be a good idea to look through a couple resources here and here to get the idea of the whole process. The popular approach is to only create A type DNS records for your web sites with Kerberos authentication, so that the FQDN in the address bar is directly resolved to the actual IP address of the web server or to the VIP of the load balancer if one is used.
• The browser constructs the so called SPN (Service Principal Name) the canonical DNS name it determined in the previous step. The SPNs a strings used to server as identifiers of resources and services in the network and are actually just string values in the format like that:
  • HTTP/webserver.company.com (this form of SPN identifier is commonly used for web servers)
  • HOST/server1.company.com (SPN for some generic service running on computer server1.company.com)
  • MSSQLSvc/sqlserver.company.com:1433 (SPN for MS SQL Server instance running on machine sqlserver.company.com on TCP port 1433)
• The browser issues a special Kerberos request (KRB_TGS_REQ) to its KDC specifying the SPN string as a parameter. The KDC looks through its accounts database searching for an account associated with the requested SPN. In our case KDC is an AD domain controller and it searches for a user/computer account having an LDAP attribute named servicePrincipalName with the value equal to the SPN string in the request. In corporate AD environment, the common practice is to create a separate “service” account for each distinct service/URL/web site, which is technically a regular AD user account often configured with a more relaxed password expiration policy.
• The KDC should find one and only one matching account for each SPN. In this ideal case it generates a so called Kerberos service ticket and returns it to the calling browser application in KRB_TGS_REP response. If KDC finds more than one matching account for one given SPN, it is a considered an error state and Kerberos authentication in this case won’t work. The same goes for the case if KDC cannot find any matching account at all.
• The Kerberos service ticket generated by the KDC contains in its encrypted payload some key data which can only be decrypted using the password for the account associated with the SPN. This ticket cannot be used with any other account!
• The browser sends the service ticket to the web server.
• The web process on the web server tries to decrypt the ticket it received from the browser. If we are taking about Apache running on Linux with mod_auth_kerb, it looks for a special keytab file which must be supplied by the administrator. This keytab file is essentially a small database, matching SPN strings to secret keys to be used for encryption/decryption. Its structure is like that:

• As you can see, the keytab file in our example contains two entries for the same SPN, but for two different ciphers - AES256 and RC4. And, of course, we have a separate keys of different length for each cipher. Not incidentally, our real keytab file that we are going to create will look just like that and will have two keys for two algorithms for the same one SPN of our web server. We configure it this way because in many networks both ciphers (RC4 and AES) are used simultaneously. In my organization, my own computer sometimes gets RC4 service tickets from the KDC even while the AES cipher is the preferred algorithm for recent Windows versions ⁵. Is these conditions some clients may obtain RC4 service tickets for authentication to our web server, while others may get and send to the web server AES encrypted tickets, and our web server must be able to decrypt both types.
• If the web server is able to find the matching entry in the keytab file ², it extracts from it the secret key and uses it to decrypt and verify the service ticket received from the browser. If the decryption and verification is successful then the client is deemed to be authenticated.

Different scenarios for DNS configuration and hosting multiple sites on one web server

In the table below, I outlined two possible scenarios and my recommendations for DNS and keytab configuration.

References

Notes

1. I have long been under wrong impression that browsers (IE and Chrome) can initiate Kerberos authentication with the web server only if the web server URL is added to the “Local intranet” zone where the “Automatic logon” option is enabled by default. And I also wrongly presumed that Kerberos authentication will not work from Windows machines not joined to the AD domain. But as I closely looked into this issue I realized that browsers would still be able to authenticate via Kerberos protocol if the target web site URL is not in the “Local intranet” zone, or even if the client machine is not a member of the domain at all, as long as the client has network connectivity with the KDC for all required ports. The difference is that with “Automatic logon” enabled authentication if completely transparent (100% Single Sign On) and the user is not asked for his password whereas in the opposite scenario the login/password prompt pops up in the browser. Besides, you can only see the cached Kerberos tickets via klist command in the “Automatic logon” scenario (web site in the “Local intranet” zone). Otherwise, if the user is prompted for his password by the browser, you can see in Wireshark that the Kerberos ticket is sent to the web server on the wire but klist command output won’t show it. ↩↩²↩³↩⁴↩⁵

2. It seems that the Kerberos auth module and the krb5user library are only looking for those entries in the keytab file where the hostname matches the value configured in the “/etc/hosts” file. There many possible scenarios for DNS configuration and the only one of them which is straightforward to configure is when the public FQDN for your web site matches the FQDN of your server associated with the server’s own IP address in the /etc/hosts file. The example configuration in this document describes just that scenario. However, there are other ways to configure DNS and Kerberos keytab file for your web server. Please refer to the Different scenarios for DNS configuration and hosting multiple sites on one web server section of this document for more information on this subject. Please note, that there should be a way to force mod_auth_kerb and the client library krb5-user to accept any entries in the keytab file and not only those matching the FQDN hostname configured in the /etc/hosts file. To do this, you can add KrbServiceName Any option to the / section of the apache config file, according to this resource. However, I had no luck with this option, no matter how I tried. But still, perhaps it could’ve been just the wrong version of binaries that I used and this option would still work with your setup. ↩↩²

3. There is also an option to change the password to a random value and generate keytab secret keys for this newly changed password value. In this case DO NOT use ‘-SetPass’ option and add the ‘+rndPass’ option insted. See this resource for more information. ↩

4. The mod_auth_kerb option KrbMethodK5Passwd On will enable the fallback to HTTP Basic authentication. However, as the password is not encrypted when this authentication scheme is used, this option must not be enabled if your site is accessible via plain HTTP protocol with no SSL/TLS encryption. This option, if used with mandatory SSL/TLS encryption of HTTPS traffic between the browser and the server, is the only way to authenticate clients and browser which do not support Kerberos authentication. In that respect, HTTP Basic authentication plays a role similar to that of NTLM in Microsoft Windows/IIS environment, which also serves as the fallback authentication mechanism when Kerberos cannot be used. The examples of clients, which do not support Kerberos and will require KrbMethodK5Passwd On option are mobile clients (smartphones, tablets and etc.), corporate client machines connecting to the web server over the Internet via the public IP (out of office scenario), in which case the domain controllers and the KDC service are behind the firewall and cannot be contacted ¹. ↩

5. This document describes how different encryption types are selected for different Kerberos messages and exchanges. The rules for encryption types are very complex and vary from one Windows version to another. However, there is a small hack, which can force your Windows client (tested on Windows 10) to use only the strongest available algorithm AES256 for all Kerberos exchanges. Launch regedit and add a new DWORD value DefaultEncryptionType under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters, set it to 18 (decimal) or 0x12 (hexadecimal), which will enforce AES256 encryption for Kerberos pre-authentication and make KDC use AES256 when it will be issuing service tickets. You’ll need to reboot to apply this settings. ↩↩²

1. Overview

In this quick article, we'll describe the different popular servers for Java development.

2. Web vs. Application Server

We're going to see what are the differences between a web and application servers and which Java EE specifications they support.

Simply put, the core difference is that application servers have full support for the Java EE spec, whereas web servers support a small subset of that functionality:

3. Apache Tomcat

One of the more popular web servers in the Java ecosystem is Apache Tomcat.

You can check the latest version of Apache Tomcat and the support Java version(s) on the project's website.

Here's a nice table with the exact specs Tomcat supports in each version.

You can also contribute to the project here.

4. Jetty

The Jetty web server is developed under the Eclipse Foundation.

Because it's so lightweight, it can be easily embedded in devices, frameworks, and application servers. Some of the products that use Jetty are Apache ActiveMQ, Eclipse, Google App Engine, Apache Hadoop and Atlassian Jira.

Naturally, the project is open-source and you can contribute to it here.

Let's now move on from web servers to application servers.

5. Apache TomEE

The Apache TomEE is a full application server built on top of the standard Apache Tomcat, and primarily supported by Tomitribe. You can check the website here for the latest version.

TomEE enables us to use some of the features of Java EE that aren't supported by Tomcat.

This application server is, as the name suggests, under the umbrella of the Apache Foundation.

You can contribute to the project here.

6. Oracle WebLogic

WebLogic 12 is also worth mentioning, as it's the primary application server offering from Oracle.

The latest release and supported Java versions can be found here.

7. WebSphere

IBM has also developed its own application server, called WebSphere. The latest release and supported Java versions can be found here.

Spring Boot Disable Web Server

WebSphere is not an open-source project, but it has given the WebSphere Liberty application to Eclipse – which makes some essential code of WebSphere open for developers to use and contribute to.

You can contribute to that project here.

8. WildFly

Wildfly is an open-source Java application server, developed by Red Hat.

Wildfly is gaining popularity for Java EE applications, with the latest release version to be found here.

You can also contribute to the project here.

9. Apache Geronimo

Apache Geronimo is developed by the Apache Software Foundation under the Apache license, which makes it an open-source project so we can also contribute, the same as in the previous application servers.

The latest release available can be found here.

You can contribute to the project here.

10. GlassFish

Glassfish is an open-source application server, also sponsored by Oracle. The latest release available can be found here.

You can contribute to the project here.

11. Conclusion

In this quick, list-style article, we had a very high-level look at the web and application server landscape in the Java ecosystem.

Spring Boot Apache Web Server Download