Scribd Logo
Upload

Welcome to Scribd!

  • Devconf2013JBoss Negotiation in AS7 LT Kerberos As7 130927030237 Phpapp01

    Uploaded by

    PeterFarben
    13 views23 pages
    Get Kerberos authentication working

    Original Title

    Devconf2013JBoss Negotiation in AS7 Lt Kerberos As7 130927030237 Phpapp01

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Get Kerberos authentication working

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    13 views23 pages

    Devconf2013JBoss Negotiation in AS7 LT Kerberos As7 130927030237 Phpapp01

    Uploaded by

    PeterFarben
    Get Kerberos authentication working

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 23

    JBoss Negotiation in AS7

    Get Kerberos authentication working

    Josef Cacek
    Senior QE Engineer, Red Hat
    DevConf 2013

    Agenda

    Technologies introduction

    Quickstart

    Configuration

    Troubleshooting

    Introduction: Kerberos

    ticket based network authentication protocol

    JBoss Negotiation

    Negotiation (SPNEGO) support for JBoss AS


    protocols
    Kerberos
    NTLM
    components
    authenticator a JBoss Web valve
    JAAS Login modules
    toolkit to check the configuration

    Quickstart

    https://github.com/kwart/spnego-demo
    https://github.com/kwart/kerberos-using-apacheds

    JBoss AS configuration
    $JBOSS_HOME/standalone/configuration/standalone.xml

    standalone.xml security domains (1)

    <security-domain name="host" cache-type="default">


    <authentication>
    <login-module code="Kerberos" flag="required">
    <module-option name="debug" value="true"/>
    <module-option name="storeKey" value="true"/>
    <module-option name="refreshKrb5Config" value="true"/>
    <module-option name="useKeyTab" value="true"/>
    <module-option name="doNotPrompt" value="true"/>
    <moduleoptionname="keyTab"
    value="/path/to/http.keytab"/>
    <module-option name="principal"
    value="HTTP/localhost@JBOSS.ORG"/>
    </login-module>
    </authentication>
    </security-domain>

    standalone.xml security domains (2)


    <security-domain name="SPNEGO" cache-type="default">
    <authentication>
    <login-module code="SPNEGO" flag="required">
    <module-option name="serverSecurityDomain"
    value="host"/>
    </login-module>
    </authentication>
    <mapping>
    <mapping-module code="SimpleRoles" type="role">
    <module-option name="jduke@JBOSS.ORG" value="Admin"/>
    <module-option name="hnelson@JBOSS.ORG" value="User"/>
    </mapping-module>
    </mapping>
    </security-domain>

    standalone.xml Kerberos related system properties

    <system-properties>
    <property
    name="java.security.krb5.conf"
    value="/path/to/krb5.conf"/>
    <property
    name="java.security.krb5.debug"
    value="true"/>
    <property
    name="jboss.security.disable.secdomain.option"
    value="true"/>
    </system-properties>

    Web application configuration

    WAR Web archive

    WEB-INF/web.xml

    define your security constraints and roles

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Admin Data</web-resource-name>
    <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>Admin</role-name>
    </auth-constraint>
    </security-constraint>
    <security-role>
    <role-name>Admin</role-name>
    </security-role>

    WEB-INF/jboss-web.xml

    security domain

    custom authenticator

    <jboss-web>
    <security-domain>SPNEGO</security-domain>
    <valve>
    <classname>org.jboss.security.negoti
    ation.NegotiationAuthenticator</class-name>
    </valve>
    </jboss-web>

    META-INF/jboss-deployment-structure.xml

    define module dependencies

    <jboss-deployment-structure>
    <deployment>
    <dependencies>
    <module
    name="org.jboss.security.negotiation" />
    </dependencies>
    </deployment>
    </jboss-deployment-structure>

    Client configuration

    krb5.conf

    configure the realm


    [libdefaults]
    default_realm = MY-COMPANY.CZ
    [realms]
    MY-COMPANY.CZ = {
    kdc = kerberos.my-company.cz:688
    }
    [domain_realm]
    .my-company.cz = MY-COMPANY.CZ

    Use KRB5_CONFIG environment variable if you don't


    want to change system wide /etc/krb5.conf
    $ export KRB5_CONFIG=/path/to/krb5.conf

    Browser configuration allow negotiation for the domain

    Firefox use about:config in the address bar


    network.negotiate-auth.delegation-uris=.my-company.cz
    network.negotiate-auth.trusted-uris
    =.my-company.cz

    Chromium
    $ chromium-browser \
    > --auth-server-whitelist=.my-company.cz \
    > --auth-negotiate-delegate-whitelist=.my-company.cz

    And if it still doesn't work

    Pitfalls principal names

    The Service Principal Name (SPN) must follow the rule


    <service type> / <hostname> @ <realm>
    For the request
    http://my-server.my-company.cz/
    use SPN:
    HTTP/my-server.my-company.cz@MYCOMP.CZ

    Mixing IPs and hostnames usually doesn't work:


    HTTP/localhost@MYCOMP.CZ
    http://127.0.0.1/

    Pitfalls - IPv6

    HTTP:
    http://[0:0:0:0:0:0:0:1]:8080/my-app/
    HTTP/[0:0:0:0:0:0:0:1]@JBOSS.ORG

    LDAP (can be used for role-mapping):


    ldap://[0:0:0:0:0:0:0:1]:389
    ldap/0:0:0:0:0:0:0:1@JBOSS.ORG

    Pitfalls - IBM Java

    host's login module

    <login-module
    code="com.ibm.security.auth.module.Krb5LoginModule"
    flag="required" >

    module options are not the same!


    krb5.conf check [libdefaults] section
    encryption support
    default_tgs_enctypes
    default_tkt_enctypes
    allow_weak_crypto
    forwardable ticktet when a client uses Krb5LoginModule
    forwardable = true

    Thank you.

    You might also like