THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
- Copy the Keroes keytab file
krb5.keytab
to one of directories of your Geronimo Server. The file was created during Setting up the Domain Controller Machine. - Create a basic Kerbeores configuration file named
krb5.ini
in order to use the SPNEGO for the server. The files should be stored on local server and with the following keys list defining the Kerberoes key distribution center(KDC) name and the realm setting for the SPNEGO authentication.Code Block title krb5.ini [libdefaults] default_realm = XYZ.COM default_keytab_name = FILE:c:\winnt\krb5.keytab default_tkt_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc default_tgs_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc forwardable=true [realms] XYZ.COM = { kdc = domaincontroller.xyz.com:88 default_domain = xyz.com } [domain_realm] xyz.com= XYZ.COM .xyz.com = XYZ.COM
- Configure JVM properties with the following key pairs to make sure the JVM read the Kerberoes configurations successfully.
Panel boderstyle solid set JAVA_OPTS=-Djava.security.krb5.conf=C:\winnt\krb5.ini -Dcom.ibm.security.jgss.debug=all -Dcom.ibm.security.krb5.Krb5Debug=all -Djavax.security.auth.useSubjectCredsOnly=false
- Create a system-scope realm for the Geronimo server as followed. The sample code is a combination of SPNEGO and .properties file realms in order that the authentication will fall back on .Properties realm once the SPNEGO authentication fails. You can remove the .properties file realm if unnecessary.
Code Block xml xml title spnego_properties_realm.xml <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2"> <environment> <moduleId> <groupId>console.realm</groupId> <artifactId>SpnegoTest</artifactId> <version>1.0</version> <type>car</type> </moduleId> <dependencies> <dependency> <groupId>org.apache.geronimo.framework</groupId> <artifactId>j2ee-security</artifactId> <type>car</type> </dependency> </dependencies> </environment> <gbean name="SpnegoTest" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <attribute name="realmName">SpnegoTest</attribute> <reference name="ServerInfo"> <name>ServerInfo</name> </reference> <xml-reference name="LoginModuleConfiguration"> <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0"> <log:login-module control-flag="SUFFICIENT" wrap-principals="false"> <log:login-domain-name>SpnegoTest</log:login-domain-name> <log:login-module-class>org.apache.geronimo.security.realm.providers.SpnegoLoginModule</log:login-module-class> <log:option name="targetName">http/test.xyz.com</log:option> <log:option name="ldapUrl">ldap://domaincontroller.xyz.com:389</log:option> <log:option name="ldapLoginName">testuser</log:option> <log:option name="ldapLoginPassword">testuser123</log:option> <log:option name="searchBase">DC=xyz,DC=com</log:option> </log:login-module> <log:login-module control-flag="SUFFICIENT" wrap-principals="false"> <log:login-domain-name>demo-properties-realm</log:login-domain-name> <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class> <log:option name="usersURI">var/security/demo_users.properties</log:option> <log:option name="groupsURI">var/security/demo_groups.properties</log:option> </log:login-module> </log:login-config> </xml-reference> </gbean> </module>
- Configure the deployment plan of your application to make sure the SPNEGO realm is invoked properly. See the sample code below for reference.
Code Block xml xml title geronimo-web.xml <?xml version="1.0" encoding="UTF-8"?> <web:web-app xmlns:app="http://geronimo.apache.org/xml/ns/j2ee/application-2.0" xmlns:client="http://geronimo.apache.org/xml/ns/j2ee/application-client-2.0" xmlns:conn="http://geronimo.apache.org/xml/ns/j2ee/connector-1.2" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:ejb="http://openejb.apache.org/xml/ns/openejb-jar-2.2" xmlns:name="http://geronimo.apache.org/xml/ns/naming-1.2" xmlns:pers="http://java.sun.com/xml/ns/persistence" xmlns:pkgen="http://openejb.apache.org/xml/ns/pkgen-2.1" xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0" xmlns:web="http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1"> <dep:environment> <dep:moduleId> <dep:groupId>com.mycompany.samples</dep:groupId> <dep:artifactId>security-demo</dep:artifactId> <dep:version>3.0</dep:version> <dep:type>war</dep:type> </dep:moduleId> <dep:dependencies/> <dep:hidden-classes> <dep:filter> org.apache.geronimo.security.realm.providers.SpnegoLoginModule </dep:filter> </dep:hidden-classes> <dep:non-overridable-classes/> </dep:environment> <web:context-root>/demo</web:context-root> <web:security-realm-name>SpnegoTest</web:security-realm-name> <sec:security> <sec:role-mappings> <sec:role role-name="content-administrator"> <sec:principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="Domain Admins"/> <sec:principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="testuser@TEST.XYZ.COM"/> </sec:role> <sec:role role-name="Guest-administrator"> <sec:principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="Domain Admins"/> </sec:role> </sec:role-mappings> </sec:security> </web:web-app>
- Configure the deployment descriptor to make sure your application uses SPNEGO authentication and the respective realm provider that Geronimo server supports.
Code Block xml xml title excerpt of web.xml <?xml version="1.0" encoding="ISO-8859-1"?> ... <login-config> <auth-method>SPNEGO</auth-method> <realm-name>SpnegoTest</realm-name> ... </login-config>
Few very important points to note
...
- Make sure that you use Basic as the authentication mechanism in your web application if you want to configure Spnego with geronimo.
- The realm provided is a combination of 2 login modules which can be easily created through geronimo administrative console.
- While you are creating a security realm for Spnego loginmodule you need to just specify one option that will be of the form "targetName=http/<fully_qualified_host_name>". Have a look at the sample realm. This will give you an idea of the option to be used.
- Make sure you choose sufficient as the control-flag while creating the 2 login modules.
- Make sure you map only one user to SPN as defined in #2 of "Setting up the Active Directory Domain Controller".