Versions Compared

Old Version 14

changes.mady.by.user Runhua Chi

Saved on

compared with

New Version 15

changes.mady.by.user Runhua Chi

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

  1. In the Internet Explorer windows, click Tools>Internet Options>Security tab.
  2. Select the Local Intranet icon and click Sites.
  3. Make sure all check boxes are selected in the Local Intranet windows, then click Advanced button.
  4. Add the URI name of the Geronimo server for example _http://test.xyz.com_Image Removed into the list Web sites so that the Single Sign-On (SSO) can be enabled, then click OK to complete this step and close the Local intranet window.
  5. On the Internet Options windows, click the Advanced tab and go to Security settings. Make sure Enable Integrated Windows Authentication(requires restart) check box is selected, then click OK to close all windows.
  6. Restart your Microsoft Internet Explorer to activate the configuration.

...

  1. Copy the Keroes keytab file krb5.keytab to one of directories of your Geronimo Server. The file was created during Setting up the Domain Controller Machine.
  2. Create a basic Kerbeores configuration file named krb5.ini in order to use the SPNEGO for the server. The files should be stored on local server and with the following keys list defining the Kerberoes key distribution center(KDC) name and the realm setting for the SPNEGO authentication.
    Code Block
    titlekrb5.ini
     
[libdefaults]
  default_realm = XYZ.COM
     default_keytab_name = FILE:c:\winnt\krb5.keytab
     default_tkt_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc
     default_tgs_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc
     forwardable=true 
[realms]
  XYZ.COM = {
        kdc = domaincontroller.xyz.com:88
        default_domain = xyz.com   
        }
[domain_realm]
  xyz.com= XYZ.COM
  .xyz.com = XYZ.COM
  3. Configure JVM properties with the following key pairs to make sure the JVM read the Kerberoes configurations successfully.
    Panel
    boderstylesolid

    set JAVA_OPTS=-Djava.security.krb5.conf=C:\winnt\krb5.ini -Dcom.ibm.security.jgss.debug=all -Dcom.ibm.security.krb5.Krb5Debug=all -Djavax.security.auth.useSubjectCredsOnly=false

  4. Create a system-scope realm for the Geronimo server as followed. The sample code is a combination of SPNEGO and .properties file realms in order that the authentication will fall back on .Properties realm once the SPNEGO authentication fails. You can remove the .properties file realm if unnecessary. xml
    Code Block
    xml
    titlespnego_properties_realm.xml
    xml
    <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
    <environment>
        <moduleId>
            <groupId>console.realm</groupId>
            <artifactId>SpnegoTest</artifactId>
            <version>1.0</version>
            <type>car</type>
        </moduleId>
        <dependencies>
            <dependency>
                <groupId>org.apache.geronimo.framework</groupId>
                <artifactId>j2ee-security</artifactId>
                <type>car</type>
            </dependency>
        </dependencies>
    </environment>
    <gbean name="SpnegoTest" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" 
                 xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <attribute name="realmName">SpnegoTest</attribute>
        <reference name="ServerInfo">
            <name>ServerInfo</name>
        </reference>
        <xml-reference name="LoginModuleConfiguration">
            <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
                <log:login-module control-flag="SUFFICIENT" wrap-principals="false">
                    <log:login-domain-name>SpnegoTest</log:login-domain-name>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.SpnegoLoginModule</log:login-module-class>
                    <log:option name="targetName">http/test.xyz.com</log:option>
					<log:option name="ldapUrl">ldap://domaincontroller.xyz.com:389</log:option>
					<log:option name="ldapLoginName">testuser</log:option>
					<log:option name="ldapLoginPassword">testuser123</log:option>
					<log:option name="searchBase">DC=xyz,DC=com</log:option>
                </log:login-module>
                <log:login-module control-flag="SUFFICIENT" wrap-principals="false">
                    <log:login-domain-name>demo-properties-realm</log:login-domain-name>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
                    <log:option name="usersURI">var/security/demo_users.properties</log:option>
                    <log:option name="groupsURI">var/security/demo_groups.properties</log:option>
                </log:login-module>
            </log:login-config>
        </xml-reference>
    </gbean>
</module>
  5. Configure the deployment plan of your application to make sure the SPNEGO realm is invoked properly. See the sample code below for reference.
    Code Block
    xmlxml
    titlegeronimo-web.xml
    xml
    <?xml version="1.0" encoding="UTF-8"?>
<web:web-app xmlns:app="http://geronimo.apache.org/xml/ns/j2ee/application-2.0"    xmlns:client="http://geronimo.apache.org/xml/ns/j2ee/application-client-2.0" 
        xmlns:conn="http://geronimo.apache.org/xml/ns/j2ee/connector-1.2" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" 
        xmlns:ejb="http://openejb.apache.org/xml/ns/openejb-jar-2.2" xmlns:name="http://geronimo.apache.org/xml/ns/naming-1.2" 
        xmlns:pers="http://java.sun.com/xml/ns/persistence" xmlns:pkgen="http://openejb.apache.org/xml/ns/pkgen-2.1" 
        xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0" xmlns:web="http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1">
    <dep:environment>
        <dep:moduleId>
            <dep:groupId>com.mycompany.samples</dep:groupId>
            <dep:artifactId>security-demo</dep:artifactId>
            <dep:version>2.1.5</dep:version>
            <dep:type>war</dep:type>
        </dep:moduleId>
        <dep:dependencies/>
        <dep:hidden-classes>
            <dep:filter>
	        org.apache.geronimo.security.realm.providers.SpnegoLoginModule
	    </dep:filter>
        </dep:hidden-classes>
        <dep:non-overridable-classes/>
    </dep:environment>
    <web:context-root>/demo</web:context-root>
    <web:security-realm-name>SpnegoTest</web:security-realm-name>
    <sec:security>
        <sec:role-mappings>
            <sec:role role-name="content-administrator">
                <sec:principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="Domain Admins"/>
		<sec:principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="testuser@TEST.XYZ.COM"/>
            </sec:role>
            <sec:role role-name="Guest-administrator">
           <sec:principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="Domain Admins"/>
             </sec:role>
        </sec:role-mappings>
    </sec:security>ibm.wasce
</web:web-app>
  6. Configure the deployment descriptor to make sure your application uses SPNEGO authentication and the respective realm provider that Geronimo server supports. xml
    Code Block
    xml
    titleexcerpt of web.xml
    xml
    <?xml version="1.0" encoding="ISO-8859-1"?>
...
   <login-config>
      <auth-method>SPNEGO</auth-method>
      <realm-name>SpnegoTest</realm-name>
      ...
   </login-config>

...