Home > Documentation > Configuring and administering > Administering Security > Using SPNEGO in Geronimo |
Using the Simple and Protected GSS-API Negotiation Mechanism(SPNEGO) in Geronimo allows HTTP users to log in and authenticate only once in their desktop, then they can receive automatic authentication from the Geronimo server. Note that the feature is only supported in Geronimo 2.2.1 or later versions.
Using the SPNEGO requires three distinct machines:
Note that the clock on clients, Microsoft Active Directory Domain Controller and Geronimo server must be synchronized to within five minutes, and they must be within the same domain.
setspn -A HTTP/test.xyz.com testuser.
krb5.keytab
) with the command ktpass and make the file available to Geronimo server by copying it from the Domain Controller to the Geronimo server. See Windows 2003 Technical Reference (ktpass command) for more usages of the command.
ktpass -out c:\winnt\krb5.keytab -princ HTTP/test.xyz.com@XYZ.COM -mapUser testuser -mapOp set -pass testuser123 -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL
On client machines, the Web browsers are responsible for generating the SPNEGO token for user by the Geronimo server. Perform the following configuration for your browsers. Note that the resources on Geronimo server can only be accessible by the domain name of the Geronimo server, and the client machines must be the members of Domain.
krb5.keytab
to one of directories of your Geronimo Server. The file was created during Setting up the Domain Controller Machine.krb5.ini
in order to use the SPNEGO for the server. The files should be stored on local server and with the following keys list defining the Kerberoes key distribution center(KDC) name and the realm setting for the SPNEGO authentication.
[libdefaults] default_realm = XYZ.COM default_keytab_name = FILE:c:\winnt\krb5.keytab default_tkt_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc default_tgs_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc forwardable=true [realms] XYZ.COM = { kdc = domaincontroller.xyz.com:88 default_domain = xyz.com } [domain_realm] xyz.com= XYZ.COM .xyz.com = XYZ.COM
set JAVA_OPTS=-Djava.security.krb5.conf=C:\winnt\krb5.ini -Dcom.ibm.security.jgss.debug=all -Dcom.ibm.security.krb5.Krb5Debug=all -Djavax.security.auth.useSubjectCredsOnly=false
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2"> <environment> <moduleId> <groupId>console.realm</groupId> <artifactId>SpnegoTest</artifactId> <version>1.0</version> <type>car</type> </moduleId> <dependencies> <dependency> <groupId>org.apache.geronimo.framework</groupId> <artifactId>j2ee-security</artifactId> <type>car</type> </dependency> </dependencies> </environment> <!-- The ConfigEntry and KerberosLoginModule GBeans are not needed on IBM JVM. --> <gbean name="ConfigEntry" class="org.apache.geronimo.security.jaas.DirectConfigurationEntry" xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <attribute name="applicationConfigName">com.sun.security.jgss.accept</attribute> <attribute name="controlFlag">REQUIRED</attribute> <reference name="Module"> <name>KerberosLoginModule</name> </reference> </gbean> <gbean name="KerberosLoginModule" class="org.apache.geronimo.security.jaas.LoginModuleGBean" xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <attribute name="loginModuleClass">org.apache.geronimo.security.realm.providers.KerberosLoginModule</attribute> <attribute name="loginDomainName">unspecified</attribute> <attribute name="options"> krb5LoginModuleClass=com.sun.security.auth.module.Krb5LoginModule krb_debug=true krb_useKeyTab=true krb_storeKey=true krb_doNotPrompt=true krb_isInitiator=false krb_keyTab=c:/winnt/krb5.keytab krb_principal=HTTP/test.xyz.com@XYZ.COM </attribute> </gbean> <gbean name="SpnegoTest" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <attribute name="realmName">SpnegoTest</attribute> <reference name="ServerInfo"> <name>ServerInfo</name> </reference> <xml-reference name="LoginModuleConfiguration"> <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0"> <log:login-module control-flag="SUFFICIENT" wrap-principals="false"> <log:login-domain-name>SpnegoTest</log:login-domain-name> <log:login-module-class>org.apache.geronimo.security.realm.providers.SpnegoLoginModule</log:login-module-class> <log:option name="targetName">HTTP/test.xyz.com</log:option> <log:option name="ldapUrl">ldap://domaincontroller.xyz.com:389</log:option> <log:option name="ldapLoginName">testuser</log:option> <log:option name="ldapLoginPassword">testuser123</log:option> <log:option name="searchBase">DC=xyz,DC=com</log:option> </log:login-module> <log:login-module control-flag="SUFFICIENT" wrap-principals="false"> <log:login-domain-name>demo-properties-realm</log:login-domain-name> <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class> <log:option name="usersURI">var/security/demo_users.properties</log:option> <log:option name="groupsURI">var/security/demo_groups.properties</log:option> </log:login-module> </log:login-config> </xml-reference> </gbean> </module>
<?xml version="1.0" encoding="UTF-8"?> <web:web-app xmlns:app="http://geronimo.apache.org/xml/ns/j2ee/application-2.0" xmlns:client="http://geronimo.apache.org/xml/ns/j2ee/application-client-2.0" xmlns:conn="http://geronimo.apache.org/xml/ns/j2ee/connector-1.2" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:ejb="http://openejb.apache.org/xml/ns/openejb-jar-2.2" xmlns:name="http://geronimo.apache.org/xml/ns/naming-1.2" xmlns:pers="http://java.sun.com/xml/ns/persistence" xmlns:pkgen="http://openejb.apache.org/xml/ns/pkgen-2.1" xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0" xmlns:web="http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1"> <dep:environment> <dep:moduleId> <dep:groupId>com.mycompany.samples</dep:groupId> <dep:artifactId>security-demo</dep:artifactId> <dep:version>2.2.1</dep:version> <dep:type>war</dep:type> </dep:moduleId> <dep:dependencies/> <dep:hidden-classes> <dep:filter> org.apache.geronimo.security.realm.providers.SpnegoLoginModule </dep:filter> </dep:hidden-classes> <dep:non-overridable-classes/> </dep:environment> <web:context-root>/demo</web:context-root> <web:security-realm-name>SpnegoTest</web:security-realm-name> <sec:security> <sec:role-mappings> <sec:role role-name="content-administrator"> <sec:principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="Domain Admins"/> <sec:principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="testuser@TEST.XYZ.COM"/> </sec:role> <sec:role role-name="Guest-administrator"> <sec:principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="Domain Admins"/> </sec:role> </sec:role-mappings> </sec:security> </web:web-app>
<?xml version="1.0" encoding="ISO-8859-1"?> ... <login-config> <auth-method>SPNEGO</auth-method> <realm-name>SpnegoTest</realm-name> ... </login-config>
Bookmark this on Delicious Digg this | Privacy Policy - Copyright © 2003-2011, The Apache Software Foundation, Licensed under ASL 2.0. |