THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
- Set up the following parameters before starting the server.
set JAVA_OPTS=-Djava.security.krb5.conf=C:\winnt\krb5.ini -Dcom.ibm.security.jgss.debug=all -Dcom.ibm.security.krb5.Krb5Debug=all -Djavax.security.auth.useSubjectCredsOnly=false -Dorg.apache.tomcat.config.NEGOTIATE=true
Make sure you set the "org.apache.tomcat.config.NEGOTIATE=true" otherwise you will not be able to use spnego. - Start the server with "geronimo.bat run" command.
- Create a realm for spnego. You can create a realm for fallback once spnego fails. For reference here is a sample spnego realm. This
realm is a combination of spnego and properties realm. In case your spnego authentication fails the authentication will fallback on
properties realm.
{code:title=spnego_properties_realm.xml
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
<environment>
<moduleId>
<groupId>console.realm</groupId>
<artifactId>SpnegoTest</artifactId>
<version>1.0</version>
<type>car</type>
</moduleId>
<dependencies>
<dependency>
<groupId>org.apache.geronimo.framework</groupId>
<artifactId>j2ee-security</artifactId>
<type>car</type>
</dependency>
<dependency>
<groupId>com.ibm</groupId>
<artifactId>Spnego</artifactId>
<version>1.0</version>
<type>jar</type>
</dependency>
</dependencies>
</environment>
<gbean name="SpnegoTest" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<attribute name="realmName">SpnegoTest</attribute>
<reference name="ServerInfo">
<name>ServerInfo</name>
</reference>
<xml-reference name="LoginModuleConfiguration">
<log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
<log:login-module control-flag="SUFFICIENT" wrap-principals="false">
<log:login-domain-name>SpnegoTest</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.SpnegoLoginModule</log:login-module-class>
<log:option name="targetName">http/pork2000test.austin.ibmxyz.com</log:option>
</log:login-module>
<log:login-module control-flag="SUFFICIENT" wrap-principals="false">
<log:login-domain-name>demo-properties-realm</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
<log:option name="usersURI">var/security/demo_users.properties</log:option>
<log:option name="groupsURI">var/security/demo_groups.properties</log:option>
</log:login-module>
</log:login-config>
</xml-reference>
</gbean>
</module>Code Block
...