Versions Compared

Old Version 12

changes.mady.by.user Runhua Chi

Saved on

compared with

New Version Current

changes.mady.by.user Runhua Chi

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin
Wiki Markup
{scrollbar}

Using

...

the

...

Simple

...

and

...

Protected

...

GSS-API

...

Negotiation

...

Mechanism(SPNEGO)

...

in

...

Geronimo

...

allows

...

HTTP

...

users

...

to

...

log

...

in

...

and

...

authenticate

...

only

...

once

...

in

...

their

...

desktop,

...

then

...

they

...

can

...

receive

...

automatic

...

authentication

...

from

...

the

...

Geronimo

...

server.

...

Note

...

that

...

the

...

feature

...

is

...

only

...

supported

...

in

...

Geronimo

...

2.1.5

...

or

...

later

...

versions

...

Table of Contents

Prerequisite

Using the SPNEGO requires three distinct machines:

  • A Microsoft Windows 2000 or Windows 2003 Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center(KDC)
  • A domain member with internet browsers for example, a Microsoft Internet Explorer or Firefox browser
  • A server Platform with Geronimo running

Note that the clock on clients, Microsoft Active Directory Domain Controller and Geronimo server must be synchronized to within five minutes, and they must be within the same domain.

Procedure

Setting up the Domain Controller Machine

  1. Create a user account in the active directory. Make sure that the user you create is unique and not listed in Computers or domain controllers. This account will be eventually mapped to the Kerberoes service principal name(SPN).
  2. Map the user account to the SPN with the command setspn. Typically, A SPN looks like HTTP/<Fully_Qualified_Host_Name>

...

  1. .

...

  1. Make

...

  1. sure

...

  1. that

...

  1. you

...

  1. do

...

  1. not

...

  1. have

...

  1. the

...

  1. same

...

  1. SPNs

...

  1. mapping

...

  1. to

...

  1. more

...

  1. than

...

  1. one

...

  1. Microsoft

...

  1. user

...

  1. account.

...

  1. If

...

  1. you

...

  1. map

...

  1. the

...

  1. same

...

  1. SPN

...

  1. to

...

  1. more

...

  1. than

...

  1. one

...

  1. user

...

  1. account,

...

  1. the

...

  1. web

...

  1. browser

...

  1. client

...

  1. can

...

  1. send

...

  1. a

...

  1. NT

...

  1. LAN

...

  1. Manager(NTLM)

...

  1. authentication

...

  1. request

...

  1. instead

...

  1. of

...

  1. SPNEGO

...

  1. token

...

  1. to

...

  1. Geronimo

...

  1. server.

...

  1. See

...

  1. Windows

...

  1. 2003

...

  1. Technical

...

  1. Reference

...

  1. (setspn

...

  1. command)

...

  1. for

...

  1. more

...

  1. usages

...

  1. of

...

  1. the

...

  1. command.

...

  1. Panel

...

  1. borderstyle

...

  1. Solid

...

  1. setspn

...

  1. -A

...

  1. HTTP/test.xyz.com

...

  1. testuser.

...

  1. Where
    • testuser is the user account created in step1
    • HTTP/test.xyz.com

...

    • is

...

    • the

...

    • unique

...

    • SPN

...

    • mapped

...

    • with

...

    • testuser

...

    • ,

...

    • test.xyz.com

...

    • is

...

    • the

...

    • host

...

    • name

...

    • of

...

    • Geronimo

...

    • server.

...

  2. Create

...

  1. the

...

  1. Kereros

...

  1. keytab

...

  1. file(

...

  1. krb5.keytab

...

  1. )

...

  1. with

...

  1. the

...

  1. command

...

  1. ktpass

...

  1. and

...

  1. make

...

  1. the

...

  1. file

...

  1. available

...

  1. to

...

  1. Geronimo

...

  1. server

...

  1. by

...

  1. copying

...

  1. it

...

  1. from

...

  1. the

...

  1. Domain

...

  1. Controller

...

  1. to

...

  1. the

...

  1. Geronimo

...

  1. server.

...

  1. See

...

  1. Windows

...

  1. 2003

...

  1. Technical

...

  1. Reference

...

  1. (ktpass

...

  1. command)

...

  1. for

...

  1. more

...

  1. usages

...

  1. of

...

  1. the

...

  1. command.

...

  1. Panel

...

  1. borderstyle

...

  1. Solid

...

  1. ktpass

...

  1. -out

...

  1. c:\winnt\krb5.keytab

...

  1. -princ

...

  1. HTTP/test.xyz.com@XYZ.COM

...

  1. -mapUser

...

  1. testuser

...

  1. -mapOp

...

  1. set

...

  1. -pass

...

  1. testuser123

...

  1. -crypto

...

  1. RC4-HMAC-NT

...

  1. -pType

...

  1. KRB5_NT_PRINCIPAL

...

  1. where
    • HTTP/test.xyz.com@XYZ.COM

...

    • is

...

    • the

...

    • concatenation

...

    • of

...

    • the

...

    • user

...

    • logon

...

    • name,

...

    • and

...

    • the

...

    • realm

...

    • name

...

    • which

...

    • must

...

    • be

...

    • in

...

    • uppercase.

...

    • testuser is the user account for mapping.
    • testuser123 is the password of the user testuser.

Setting up the Client Application Machine

On client machines, the Web browsers are responsible for generating the SPNEGO token for user by the Geronimo server. Perform the following configuration for your browsers. Note that the resources on Geronimo server can only be accessible by the domain name of the Geronimo server, and the client machines must be the members of Domain.

Enable SPNEGO authentication in Microsoft Internet Explorer browser

  1. In the Internet Explorer windows, click Tools>Internet Options>Security tab.
  2. Select the Local Intranet icon and click Sites.
  3. Make sure all check boxes are selected in the Local Intranet windows, then click Advanced button.
  4. Add the URI name of the Geronimo server for example _http://test.xyz.com_

...

  1. into

...

  1. the

...

  1. list

...

  1. Web

...

  1. sites

...

  1. so

...

  1. that

...

  1. the

...

  1. Single

...

  1. Sign-On

...

  1. (SSO)

...

  1. can

...

  1. be

...

  1. enabled,

...

  1. then

...

  1. click

...

  1. OK

...

  1. to

...

  1. complete

...

  1. this

...

  1. step

...

  1. and

...

  1. close

...

  1. the

...

  1. Local

...

  1. intranet

...

  1. window.

...

  2. On

...

  1. the

...

  1. Internet

...

  1. Options

...

  1. windows,

...

  1. click

...

  1. the

...

  1. Advanced

...

  1. tab

...

  1. and

...

  1. go

...

  1. to

...

  1. Security

...

  1. settings

...

  1. .

...

  1. Make

...

  1. sure

...

  1. Enable

...

  1. Integrated

...

  1. Windows

...

  1. Authentication(requires

...

  1. restart)

...

  1. check

...

  1. box

...

  1. is

...

  1. selected,

...

  1. then

...

  1. click

...

  1. OK

...

  1. to

...

  1. close

...

  1. all

...

  1. windows.

...

  2. Restart

...

  1. your

...

  1. Microsoft

...

  1. Internet

...

  1. Explorer

...

  1. to

...

  1. activate

...

  1. the

...

  1. configuration.

...

Enable

...

SPNEGO

...

authentication

...

in

...

Firefox

...

  1. In

...

  1. the

...

  1. URL

...

  1. address

...

  1. bar

...

  1. of

...

  1. your

...

  1. Firefox

...

  1. browser,

...

  1. type

...

  1. about:config

...

  1. and

...

  1. press

...

  1. the

...

  1. Enter

...

  1. key.

...

  2. In

...

  1. the

...

  1. following

...

  1. windows,

...

  1. type

...

  1. network.nego

...

  1. in

...

  1. the

...

  1. Filters

...

  1. .

...

  2. Double

...

  1. click

...

  1. network.negotiate-auth.trusted-uris

...

  1. and

...

  1. add

...

  1. http://,https://

...

  1. in

...

  1. the

...

  1. pop-up

...

  1. window,

...

  1. then

...

  1. click

...

  1. OK

...

  1. to

...

  1. close

...

  1. the

...

  1. window.

...

  2. Double

...

  1. click

...

  1. network.negotiate-auth.delegation-ruis

...

  1. and

...

  1. add

...

  1. http://,https://

...

  1. in

...

  1. the

...

  1. pop-up

...

  1. window,

...

  1. then

...

  1. click

...

  1. OK

...

  1. to

...

  1. close

...

  1. the

...

  1. window.

...

  2. Restart

...

  1. your

...

  1. Firefox

...

  1. to

...

  1. activate

...

  1. the

...

  1. configuration.

...

Setting

...

up

...

the

...

Geronimo

...

server

...

  1. Copy

...

  1. the

...

  1. Keroes

...

  1. keytab

...

  1. file

...

  1. krb5.keytab

...

  1. to

...

  1. one

...

  1. of

...

  1. directories

...

  1. of

...

  1. your

...

  1. Geronimo

...

  1. Server.

...

  1. The

...

  1. file

...

  1. was

...

  1. created

...

  1. during

...

  1. Setting

...

  1. up

...

  1. the

...

  1. Domain

...

  1. Controller

...

  1. Machine

...

  1. .
  2. Create a basic Kerbeores configuration file named krb5.ini in order to use the SPNEGO for the server. The files should be stored on local server and with the following keys list defining the Kerberoes key distribution center(KDC) name and the realm setting for the SPNEGO authentication.
    Code Block
    titlekrb5.ini
     
[libdefaults]
  default_realm = XYZ.COM
     default_keytab_name = FILE:c:\winnt\krb5.keytab
     default_tkt_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc
     default_tgs_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc
     forwardable=true 
[realms]
  XYZ.COM = {
        kdc = domaincontroller.xyz.com:88
        default_domain = xyz.com   
        }
[domain_realm]
  xyz.com= XYZ.COM
  .xyz.com = XYZ.COM

...

  2. Configure JVM properties with the following key pairs to make sure the JVM read the Kerberoes configurations successfully. 
     Panel
    boderstylesolid
    set JAVA_OPTS=-Djava.security.krb5.conf=C:\winnt\krb5.ini 
...
  1.  -Dcom.ibm.security.jgss.debug=all 
...
  1.  -Dcom.ibm.security.krb5.Krb5Debug=all 
...
  1.  -Djavax.security.auth.useSubjectCredsOnly=false
...
  2. Create a system-scope 
...
  1.  realm 
...
  1.  for 
...
  1.  the 
...
  1.  Geronimo 
...
  1.  server 
...
  1.  as 
...
  1.  followed. 
...
  1.  The 
...
  1.  sample 
...
  1.  code 
...
  1.  is 
...
  1.  a 
...
  1.  combination 
...
  1.  of 
...
  1.  SPNEGO 
...
  1.  and 
...
  1.  .properties 
...
  1.  file 
...
  1.  realms 
...
  1.  in 
...
  1.  order 
...
  1.  that 
...
  1.  the 
...
  1.  authentication 
...
  1.  will 
...
  1.  fall 
...
  1.  back 
...
  1.  on 
...
  1.  .Properties 
...
  1.  realm 
...
  1.  once 
...
  1.  the 
...
  1.  SPNEGO 
...
  1.  authentication 
...
  1.  fails. 
...
  1.  You 
...
  1.  can 
...
  1.  remove 
...
  1.  the 
...
  1.  .properties 
...
  1.  file 
...
  1.  realm 
...
  1.  if 
...
  1.  unnecessary. 
...
  1.  Code Block
    xml
    xml
    titlespnego_properties_realm.xml
...
  1. 
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
    <environment>
        <moduleId>
            <groupId>console.realm</groupId>
            <artifactId>SpnegoTest</artifactId>
            <version>1.0</version>
            <type>car</type>
        </moduleId>
        <dependencies>
            <dependency>
                <groupId>org.apache.geronimo.framework</groupId>
                <artifactId>j2ee-security</artifactId>
                <type>car</type>
            </dependency>
        </dependencies>
    </environment>
    <gbean name="SpnegoTest" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" 
                 xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <attribute name="realmName">SpnegoTest</attribute>
        <reference name="ServerInfo">
            <name>ServerInfo</name>
        </reference>
        <xml-reference name="LoginModuleConfiguration">
            <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
                <log:login-module control-flag="SUFFICIENT" wrap-principals="false">
                    <log:login-domain-name>SpnegoTest</log:login-domain-name>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.SpnegoLoginModule</log:login-module-class>
                    <log:option name="targetName">http/test.xyz.com</log:option>
					<log:option name="ldapUrl">ldap://domaincontroller.xyz.com:389</log:option>
					<log:option name="ldapLoginName">testuser</log:option>
					<log:option name="ldapLoginPassword">testuser123</log:option>
					<log:option name="searchBase">DC=xyz,DC=com</log:option>
                </log:login-module>
                <log:login-module control-flag="SUFFICIENT" wrap-principals="false">
                    <log:login-domain-name>demo-properties-realm</log:login-domain-name>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
                    <log:option name="usersURI">var/security/demo_users.properties</log:option>
                    <log:option name="groupsURI">var/security/demo_groups.properties</log:option>
                </log:login-module>
            </log:login-config>
        </xml-reference>
    </gbean>
</module>

...
  2. Configure the deployment plan of your application to make sure the SPNEGO realm is invoked properly. See the sample code below for reference. 
     Code Block
    xml
    xml
    titlegeronimo-web.xml
...
  1. 
<?xml version="1.0" encoding="UTF-8"?>
<web:web-app xmlns:app="http://geronimo.apache.org/xml/ns/j2ee/application-2.0"    xmlns:client="http://geronimo.apache.org/xml/ns/j2ee/application-client-2.0" 
        xmlns:conn="http://geronimo.apache.org/xml/ns/j2ee/connector-1.2" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" 
        xmlns:ejb="http://openejb.apache.org/xml/ns/openejb-jar-2.2" xmlns:name="http://geronimo.apache.org/xml/ns/naming-1.2" 
        xmlns:pers="http://java.sun.com/xml/ns/persistence" xmlns:pkgen="http://openejb.apache.org/xml/ns/pkgen-2.1" 
        xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0" xmlns:web="http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1">
    <dep:environment>
        <dep:moduleId>
            <dep:groupId>com.
...
  1. mycompany.samples</dep:groupId>
            <dep:artifactId>security-demo</dep:artifactId>
            <dep:version>2.1.
...
  1. 5</dep:version>
            <dep:type>war</dep:type>
        </dep:moduleId>
        <dep:dependencies/>
        <dep:hidden-classes>
            <dep:filter>
	        org.apache.geronimo.security.realm.providers.SpnegoLoginModule
	    </dep:filter>
        </dep:hidden-classes>
        <dep:non-overridable-classes/>
    </dep:environment>
    <web:context-root>/demo</web:context-root>
    <web:security-realm-name>SpnegoTest</web:security-realm-name>
    <sec:security>
        <sec:role-mappings>
            <sec:role role-name="content-administrator">
                <sec:principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="Domain Admins"/>
		<sec:principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="testuser@TEST.XYZ.COM"/>
            </sec:role>
            <sec:role role-name="Guest-administrator">
           <sec:principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="Domain Admins"/>
             </sec:role>
        </sec:role-mappings>
    </sec:
...
  1. security>ibm.wasce
</web:web-app>

...
  2. Configure the deployment descriptor to make sure your application uses SPNEGO authentication and the respective realm provider that Geronimo server supports. 
     Code Block
    xml
    xml
    titleexcerpt of web.xml
    
<?xml version="1.0" encoding="ISO-8859-1"?>
...
   <login-config>
      <auth-method>SPNEGO</auth-method>
      <realm-name>SpnegoTest</realm-name>
      ...
   </login-config>

...
Few very important points to note
  • Make sure that you use Basic as the authentication mechanism in your web application if you want to configure Spnego with geronimo.
  • The realm provided is a combination of 2 login modules which can be easily created through geronimo administrative console.
  • While you are creating a security realm for Spnego loginmodule you need to just specify one option that will be of the form "targetName=http/<fully_qualified_host_name>". 
...
  •  Have 
...
  •  a 
...
  •  look 
...
  •  at 
...
  •  the 
...
  •  sample 
...
  •  realm. 
...
  •  This 
...
  •  will 
...
  •  give 
...
  •  you 
...
  •  an 
...
  •  idea 
...
  •  of 
...
  •  the 
...
  •  option 
...
  •  to 
...
  •  be 
...
  •  used.
...
  • Make 
...
  •  sure 
...
  •  you 
...
  •  choose 
...
  •  sufficient 
...
  •  as 
...
  •  the 
...
  •  control-flag 
...
  •  while 
...
  •  creating 
...
  •  the 
...
  •  2 
...
  •  login 
...
  •  modules.
...
  • Make 
...
  •  sure 
...
  •  you 
...
  •  map 
...
  •  only 
...
  •  one 
...
  •  user 
...
  •  to 
...
  •  SPN 
...
  •  as 
...
  •  defined 
...
  •  in 
...
  •  #2 
...
  •  of 
...
  •  "Setting 
...
  •  up 
...
  •  the 
...
  •  Active 
...
  •  Directory 
...
  •  Domain 
...
  •  Controller".
...