Skip to content
Kerberos authentication (Basic and SPNEGO)
Ruby Shell
Latest commit 28bb7b4 Jul 1, 2013 @sleeper Bump version
Failed to load latest commit information.
lib Merge pull request #8 from ares/fix/scheme_type Jul 1, 2013
misc Fixed spec, clean-up README May 24, 2012
spec Check basic authentication with the realm If not specified and then w… Jul 1, 2013
.gitignore Preliminary version May 2, 2012
Gemfile Preliminary version May 2, 2012
Gemfile.lock Add the possibility to enable authentication process for a set of paths Nov 28, 2012


Kerberos/GSSAPI authentication (Basic and Negotiate) rack middleware.

Actually this middleware should (hopefully) work for standard Rack application and as a Goliath middleware.


Kerberos should be installed and configured on the server.

If you do want to share the authentication through your application, you'll need to have a Rack::Session middleware inserted before you in the loop.

Rack applications

require 'rack/auth/krb/basic_and_nego'

infinity = {|env| [200, {"Content-Type" => "text/html"}, ["Hello #{env['REMOTE_USER']}"]]}

use Rack::Session::Cookie
use Rack::Logger, ::Logger::DEBUG
use Rack::Auth::Krb::BasicAndNego, 'my realm', 'my keytab'

map '/' do
  run infinity

Goliath applications

require 'rack/session/cookie'
require 'goliath'
require 'goliath/rack/auth/krb/basic_and_nego'

class DumpHeaders < Goliath::API
  # Must be placed *before* BasicAndNego if we want it to use sessions !
  use Rack::Session::Cookie
  use Goliath::Rack::Auth::Krb::BasicAndNego, 'my realm', 'my keytab'

  def on_headers(env, headers) 'received headers: ' + headers.inspect

  def response(env)
    [200, {}, "Hello #{env['REMOTE_USER']}"]

Enable authentication only for a subset of paths

You can specify a list of paths for the ones you only want the authentication process to be enabled.

use Rack::Auth::Krb::BasicAndNego, 'my realm', 'my keytab', "http@hostname", ["/", "/oauth/authorize"]


use Goliath::Rack::Auth::Krb::BasicAndNego, 'my realm', 'my keytab', "http@hostname", ["/", "/oauth/authorize"]
Something went wrong with that request. Please try again.