Kerberos authentication (Basic and SPNEGO)
Ruby Shell
Latest commit 28bb7b4 Jul 2, 2013 @sleeper Bump version


Kerberos/GSSAPI authentication (Basic and Negotiate) rack middleware.

Actually this middleware should (hopefully) work for standard Rack application and as a Goliath middleware.


Kerberos should be installed and configured on the server.

If you do want to share the authentication through your application, you'll need to have a Rack::Session middleware inserted before you in the loop.

Rack applications

require 'rack/auth/krb/basic_and_nego'

infinity = {|env| [200, {"Content-Type" => "text/html"}, ["Hello #{env['REMOTE_USER']}"]]}

use Rack::Session::Cookie
use Rack::Logger, ::Logger::DEBUG
use Rack::Auth::Krb::BasicAndNego, 'my realm', 'my keytab'

map '/' do
  run infinity

Goliath applications

require 'rack/session/cookie'
require 'goliath'
require 'goliath/rack/auth/krb/basic_and_nego'

class DumpHeaders < Goliath::API
  # Must be placed *before* BasicAndNego if we want it to use sessions !
  use Rack::Session::Cookie
  use Goliath::Rack::Auth::Krb::BasicAndNego, 'my realm', 'my keytab'

  def on_headers(env, headers) 'received headers: ' + headers.inspect

  def response(env)
    [200, {}, "Hello #{env['REMOTE_USER']}"]

Enable authentication only for a subset of paths

You can specify a list of paths for the ones you only want the authentication process to be enabled.

use Rack::Auth::Krb::BasicAndNego, 'my realm', 'my keytab', "http@hostname", ["/", "/oauth/authorize"]


use Goliath::Rack::Auth::Krb::BasicAndNego, 'my realm', 'my keytab', "http@hostname", ["/", "/oauth/authorize"]