Versions Compared

Old Version 5

changes.mady.by.user Ashish Jain

Saved on

compared with

New Version 6

changes.mady.by.user Ashish Jain

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Set up the following parameters before starting the server.
    set JAVA_OPTS=-Djava.security.krb5.conf=C:\winnt\krb5.ini -Dcom.ibm.security.jgss.debug=all -Dcom.ibm.security.krb5.Krb5Debug=all -Djavax.security.auth.useSubjectCredsOnly=false -Dorg.apache.tomcat.config.NEGOTIATE=true
    Make sure you set the "org.apache.tomcat.config.NEGOTIATE=true" otherwise you will not be able to use spnego.
  • Start the server with "geronimo.bat run" command.
  • Create a realm for spnego. You can create a realm for fallback once spnego fails. For reference here is a sample spnego realm. This
    realm is a combination of spnego and properties realm. In case your spnego authentication fails the authentication will fallback on
    properties realm. {
    Code Block
    :
    title
    =
    spnego_properties_realm.xml
    borderStylesolid
    
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">

    <environment>
    <moduleId>
    
    <environment>
        <moduleId>
            <groupId>console.realm</groupId>

    
            <artifactId>SpnegoTest</artifactId>

    
            <version>1.0</version>

    
            <type>car</type>

    
        </moduleId>

    <dependencies>
    <dependency>
    
        <dependencies>
            <dependency>
                <groupId>org.apache.geronimo.framework</groupId>

    
                <artifactId>j2ee-security</artifactId>

    
                <type>car</type>

    
            </dependency>

    
        </dependencies>

    
    </environment>

    
    <gbean name="SpnegoTest" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

    <attribute 
    
        <attribute name="realmName">SpnegoTest</attribute>

    <reference 
    
        <reference name="ServerInfo">

    
            <name>ServerInfo</name>

    
        </reference>

    
        <xml-reference name="LoginModuleConfiguration">

    
            <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">

    
                <log:login-module control-flag="SUFFICIENT" wrap-principals="false">

    
                    <log:login-domain-name>SpnegoTest</log:login-domain-name>

    
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.SpnegoLoginModule</log:login-module-class>

    
                    <log:option name="targetName">http/test.xyz.com</log:option>

    
                </log:login-module>

    
                <log:login-module control-flag="SUFFICIENT" wrap-principals="false">

    
                    <log:login-domain-name>demo-properties-realm</log:login-domain-name>

    
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>

    
                    <log:option name="usersURI">var/security/demo_users.properties</log:option>

    
                    <log:option name="groupsURI">var/security/demo_groups.properties</log:option>

    
                </log:login-module>

    
            </log:login-config>

    
        </xml-reference>

    
    </gbean>

    code
    
</module>
  • Develop an application and make sure you use BASIC as the authentication mechanism in your web.xml.
  • Access the protected resource of the application from the Client Machine. You should be able to access the resource without any prompt for username and password.
  • Now access the protected resource from a machine which is not part of active directory domain. In this case spnego login will fail and it will fallback on the properties file login. Input the credentials and you will be able to access the resources.

...