RESTful services are web applications so it can be secured with Kerberos. If you want to access the RESTful service which is secured with kerberos in windows the easiest way is to use WAFFLE to get the kerberos token and attach it in HTTP header.


1. Setup Kerberos for the RESTful server.

If you already have a RESTful application secured with Kerberos the continue with 2.Waffle Dependency else check this post for how to configure kerberos authentication for RESTful application.

Note: the above link is for securing web application basically its the same for RESTful applications.

2. Waffle Dependency

Add the following dependency to the project.




compile 'com.github.dblock.waffle:waffle-jna:1.6'


  1. If you are not using any build tool download waffle and add the jars to the classpath.

3. Client

For Client

Kerberos Token

To get the kerberos token use the following util class.

import waffle.util.Base64;

 * Client authenticator. This creates a KRB5 token for the target service.
public class WindowsAuthenticator {

    public static final String securityPackage = "Negotiate";
    public static String getKrbToken(String aTargetSPName) {
        if(null == aTargetSPName || aTargetSPName.trim().isEmpty()){
            return null;
        return Base64.encode(WindowsSecurityContextImpl.getCurrent(securityPackage, aTargetSPName).getToken());

    private WindowsAuthenticator(){

Test Client

I’m using a junit test as a client.

public void testNegoRestClient(){
    List<MediaType> acceptableMediaTypes = new ArrayList<MediaType>();
    String restURL = REST_URL+1;
    HttpHeaders headers = createNegoHeaders();
    HttpEntity<Object> entity = new HttpEntity<Object>(headers);
    ResponseEntity<RestTO> result =,
            HttpMethod.GET, entity, RestTO.class);
    RestTO restTo = result.getBody();

HttpHeaders createNegoHeaders(){
    return new HttpHeaders() {
            byte[] encodedAuth = Base64.encode(getToken());
            //The target SPN is HTTP/
            String authHeader = "Negotiate " + WindowsAuthenticator.getKrbToken("HTTP/");
            set("Authorization", authHeader);


  1. Kerberos
  2. Spring Security Kerberos
  3. Waffle