Versions Compared

Old Version 3

changes.mady.by.user Ashish Jain

Saved on

compared with

New Version 4

changes.mady.by.user Ashish Jain

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This sets up your client machine make sure you login to the client machine within the active directory domain.

Setting up your geronoimo server machine

  • Make sure you login to this machine within the active directory domain.
  • Install geronimo on the server machine.
  • Copy the krb5.keytab created in #3 of "Setting up the Active Directory Domain Controller" to C:/winnt of server machine.
  • Copy the krb5.ini file to C:/winnt of server machine. A sample krb5.ini for your reference
    Code Block
    titlekrb5.ini
    borderStylesolid
    
[libdefaults]
default_realm = XYZ.COM
default_keytab_name = FILE:c:\winnt\krb5.keytab
default_tkt_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc
default_tgs_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc
forwardable=true


[realms]
XYZ.COM = {
 		kdc = ram1.xyz.com:88
}

[domain_realm]
xyz.com= XYZ.COM
.xyz.com = XYZ.COM
  • Set up the following parameters before starting the server.
    set JAVA_OPTS=-Djava.security.krb5.conf=C:\winnt\krb5.ini -Dcom.ibm.security.jgss.debug=all -Dcom.ibm.security.krb5.Krb5Debug=all -Djavax.security.auth.useSubjectCredsOnly=false -Dorg.apache.tomcat.config.NEGOTIATE=true
    Make sure you set the "org.apache.tomcat.config.NEGOTIATE=true" otherwise you will not be able to use spnego.
  • Start the server with "geronimo.bat run" command.
  • Create a realm for spnego. You can create a realm for fallback once spnego fails. For reference here is a sample spnego realm. This
    realm is a combination of spnego and properties realm. In case your spnego authentication fails the authentication will fallback on
    properties realm.
    {code:title=spnego_properties_realm.xml
    <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
    <environment>
    <moduleId>
    <groupId>console.realm</groupId>
    <artifactId>SpnegoTest</artifactId>
    <version>1.0</version>
    <type>car</type>
    </moduleId>
    <dependencies>
    <dependency>
    <groupId>org.apache.geronimo.framework</groupId>
    <artifactId>j2ee-security</artifactId>
    <type>car</type>
    </dependency>
    <dependency>
    <groupId>com.ibm</groupId>
    <artifactId>Spnego</artifactId>
    <version>1.0</version>
    <type>jar</type>
    </dependency>
    </dependencies>
    </environment>
    <gbean name="SpnegoTest" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <attribute name="realmName">SpnegoTest</attribute>
    <reference name="ServerInfo">
    <name>ServerInfo</name>
    </reference>
    <xml-reference name="LoginModuleConfiguration">
    <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
    <log:login-module control-flag="SUFFICIENT" wrap-principals="false">
    <log:login-domain-name>SpnegoTest</log:login-domain-name>
    <log:login-module-class>org.apache.geronimo.security.realm.providers.SpnegoLoginModule</log:login-module-class>
    <log:option name="targetName">http/pork2000.austin.ibm.com</log:option>
    </log:login-module>
    <log:login-module control-flag="SUFFICIENT" wrap-principals="false">
    <log:login-domain-name>demo-properties-realm</log:login-domain-name>
    <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
    <log:option name="usersURI">var/security/demo_users.properties</log:option>
    <log:option name="groupsURI">var/security/demo_groups.properties</log:option>
    </log:login-module>
    </log:login-config>
    </xml-reference>
    </gbean>
    </module>
    Code Block
  • Develop an application and make sure you use BASIC as the authentication mechanism in your web.xml.
  • Access the protected resource of the application from the Client Machine. You should be able to access the resource without any prompt for username and password.
  • Now access the protected resource from a machine which is not part of active directory domain. In this case spnego login will fail and it will fallback on the properties file login. Input the credentials and you will be able to access the resources.
Few very important points to note:
  • Make sure that you use Basic as the authentication mechanism in your web application if you want to configure Spnego with geronimo.
  • The realm provided is a combination of 2 login modules which can be easily created through geronimo administrative console.
  • While you are creating a security realm for Spnego loginmodule you need to just specify one option that will be of the form "targetName=http/<fully_qualified_host_name>". Have a look at the sample realm. This will give you an idea of the option to be used.
  • Make sure you choose sufficient as the control-flag while creating the 2 login modules.
  • Make sure you map only one user to SPN as defined in #2 of "Setting up the Active Directory Domain Controller".