It is true that Spring's spnego auth can only be used with a keytab.
However, to be more precise, a keytab is NOT essential nor required for Kerberos authentication.
It seems that according to the spec, shared secrets are handled at the protocol level (http://tools.ietf.org/html/rfc4120
For example, the KDC necessarily knows the password for both the client and the server.
Hence, the shared secret problem is solved.
Here's an open source project that enables single sign-on for java web apps that does not require a keytab: