Class SpnegoHttpFilter

  extended by net.sourceforge.spnego.SpnegoHttpFilter
All Implemented Interfaces:

public final class SpnegoHttpFilter
extends Object
implements javax.servlet.Filter

Http Servlet Filter that provides SPNEGO authentication. It allows servlet containers like Tomcat and JBoss to transparently/silently authenticate HTTP clients like Microsoft Internet Explorer (MSIE).

This feature in MSIE is sometimes referred to as single sign-on and/or Integrated Windows Authentication. In general, there are at least two authentication mechanisms that allow an HTTP server and an HTTP client to achieve single sign-on: NTLM and Kerberos/SPNEGO.

MSIE has the ability to negotiate NTLM password hashes over an HTTP session using Base 64 encoded NTLMSSP messages. This is a staple feature of Microsoft's Internet Information Server (IIS). Open source libraries exists (ie. jCIFS) that provide NTLM-based authentication capabilities to Servlet Containers. jCIFS uses NTLM and Microsoft's Active Directory (AD) to authenticate MSIE clients.

SpnegoHttpFilter does NOT support NTLM (tokens).

Kerberos is an authentication protocol that is implemented in AD. The protocol does not negotiate passwords between a client and a server but rather uses tokens to securely prove/authenticate to one another over an un-secure network.

SpnegoHttpFilter does support Kerberos but through the pseudo-mechanism SPNEGO.

Localhost Support
The Kerberos protocol requires that a service must have a Principal Name (SPN) specified. However, there are some use-cases where it may not be practical to specify an SPN (ie. Tomcat running on a developer's machine). The DNS http://localhost is supported but must be configured in the servlet filter's init params in the web.xml file.

Modifying the web.xml file

Here's an example configuration:


Example usage on web page

      <title>Hello SPNEGO Example</title>
  Hello <%= request.getRemoteUser() %> !

Take a look at the reference docs for other configuration parameters.

See more usage examples at

Darwin V. Felix

Nested Class Summary
static class SpnegoHttpFilter.Constants
          Defines constants and parameter names that are used in the web.xml file, and HTTP request headers, etc.
Field Summary
private  SpnegoAuthenticator authenticator
          Object for performing Basic and SPNEGO authentication.
private static Logger LOGGER
Constructor Summary
Method Summary
 void destroy()
 void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
 void init(javax.servlet.FilterConfig filterConfig)
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail


private static final Logger LOGGER


private transient SpnegoAuthenticator authenticator
Object for performing Basic and SPNEGO authentication.

Constructor Detail


public SpnegoHttpFilter()
Method Detail


public void init(javax.servlet.FilterConfig filterConfig)
          throws javax.servlet.ServletException
Specified by:
init in interface javax.servlet.Filter


public void destroy()
Specified by:
destroy in interface javax.servlet.Filter


public void doFilter(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws IOException,
Specified by:
doFilter in interface javax.servlet.Filter