learn a lot. thanks
2013/6/19 <[email protected]> > Using SPNEGO in > Geronimo<https://cwiki.apache.org/confluence/display/GMOxDOC22/Using+SPNEGO+in+Geronimo> > Page > *edited* by Jarek Gawor<https://cwiki.apache.org/confluence/display/~gawor> > Changes (7) > ... > --> > > <gbean name="ConfigEntry" > class="org.apache.geronimo.security.jaas.DirectConfigurationEntry" > xsi:type="dep:gbeanType" > xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi=" > http://www.w3.org/2001/XMLSchema-instance"> > xsi:type="dep:gbeanType" xmlns:dep=" > http://geronimo.apache.org/xml/ns/deployment-1.2" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> > <attribute > name="applicationConfigName">com.sun.security.jgss.accept</attribute> > <attribute name="controlFlag">REQUIRED</attribute> > ... > </gbean> > > <gbean name="KerberosLoginModule" > class="org.apache.geronimo.security.jaas.LoginModuleGBean" > xsi:type="dep:gbeanType" > xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi=" > http://www.w3.org/2001/XMLSchema-instance"> > xsi:type="dep:gbeanType" xmlns:dep=" > http://geronimo.apache.org/xml/ns/deployment-1.2" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> > <attribute > name="loginModuleClass">org.apache.geronimo.security.realm.providers.KerberosLoginModule</attribute> > > <attribute name="loginDomainName">unspecified</attribute> > ... > </gbean> > > <gbean name="SpnegoTest" > class="org.apache.geronimo.security.realm.GenericSecurityRealm" > xsi:type="dep:gbeanType" > xsi:type="dep:gbeanType" xmlns:dep=" > http://geronimo.apache.org/xml/ns/deployment-1.2" > xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi=" > http://www.w3.org/2001/XMLSchema-instance"> > <attribute name="realmName">SpnegoTest</attribute> > <reference name="ServerInfo"> > ... > Full Content > <https://cwiki.apache.org/confluence/display/GMOxDOC22/Replacing+default+Realm+in+Geronimo>Replacing > default Realm in > Geronimo<https://cwiki.apache.org/confluence/display/GMOxDOC22/Replacing+default+Realm+in+Geronimo> > > <https://cwiki.apache.org/confluence/display/GMOxDOC22/Administering+Security>Administering > Security<https://cwiki.apache.org/confluence/display/GMOxDOC22/Administering+Security> > > > Using the Simple and Protected GSS-API Negotiation > Mechanism(SPNEGO)<ftp://ftp.isi.edu/in-notes/rfc2478.txt>in Geronimo allows > HTTP users to log in and authenticate only once in their > desktop, then they can receive automatic authentication from the Geronimo > server. Note that the feature is only supported in Geronimo 2.2.1 or later > versions. > > - > Prerequisite<https://cwiki.apache.org/confluence#UsingSPNEGOinGeronimo-Prerequisite> > - > Procedure<https://cwiki.apache.org/confluence#UsingSPNEGOinGeronimo-Procedure> > - Setting up the Domain Controller > Machine<https://cwiki.apache.org/confluence#UsingSPNEGOinGeronimo-SettinguptheDomainControllerMachine> > - Setting up the Client Application > Machine<https://cwiki.apache.org/confluence#UsingSPNEGOinGeronimo-SettinguptheClientApplicationMachine> > - Enable SPNEGO authentication in Microsoft Internet Explorer > > browser<https://cwiki.apache.org/confluence#UsingSPNEGOinGeronimo-EnableSPNEGOauthenticationinMicrosoftInternetExplorerbrowser> > - Enable SPNEGO authentication in > Firefox<https://cwiki.apache.org/confluence#UsingSPNEGOinGeronimo-EnableSPNEGOauthenticationinFirefox> > - Setting up the Geronimo > server<https://cwiki.apache.org/confluence#UsingSPNEGOinGeronimo-SettinguptheGeronimoserver> > - Few very important points to > note<https://cwiki.apache.org/confluence#UsingSPNEGOinGeronimo-Fewveryimportantpointstonote> > > Prerequisite > > Using the SPNEGO requires three distinct machines: > > - A Microsoft Windows 2000 or Windows 2003 Server running the Active > Directory Domain Controller and associated Kerberos Key Distribution > Center(KDC) > - A domain member with internet browsers for example, a Microsoft > Internet Explorer or Firefox browser > - A server Platform with Geronimo running > > Note that the clock on clients, Microsoft Active Directory Domain > Controller and Geronimo server must be synchronized to within five minutes, > and they must be within the same domain. > Procedure Setting up the Domain Controller Machine > > 1. Create a user account in the active directory. Make sure that the > user you create is unique and not listed in Computers or domain > controllers. This account will be eventually mapped to the Kerberoes > service principal name(SPN). > 2. Map the user account to the SPN with the command *setspn*. > Typically, A SPN looks like *HTTP/<Fully_Qualified_Host_Name>*. Make > sure that you do not have the same SPNs mapping to more than one Microsoft > user account. If you map the same SPN to more than one user account, the > web browser client can send a NT LAN > Manager(NTLM)<http://en.wikipedia.org/wiki/NTLM>authentication request > instead of SPNEGO token to Geronimo server. See Windows > 2003 Technical Reference (setspn > command)<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/b3a029a1-7ff0-4f6f-87d2-f2e70294a576.mspx>for > more usages of the command. > > setspn -A HTTP/test.xyz.com testuser. > > Where > - *testuser* is the user account created in step1 > - *HTTP/test.xyz.com* is the unique SPN mapped with *testuser*, * > test.xyz.com* is the host name of Geronimo server. > 3. Create the Kereros keytab file(krb5.keytab) with the command * > ktpass* and make the file available to Geronimo server by copying it > from the Domain Controller to the Geronimo server. See Windows 2003 > Technical Reference (ktpass > command)<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/64042138-9a5a-4981-84e9-d576a8db0d05.mspx>for > more usages of the command. > > ktpass -out c:\winnt\krb5.keytab -princ HTTP/[email protected] > testuser -mapOp set -pass testuser123 -crypto RC4-HMAC-NT -pType > KRB5_NT_PRINCIPAL > > where > - *HTTP/[email protected]* is the concatenation of the user logon > name, and the realm name which must be in uppercase. > - *testuser* is the user account for mapping. > - *testuser123* is the password of the user *testuser*. > > Setting up the Client Application Machine > > On client machines, the Web browsers are responsible for generating the > SPNEGO token for user by the Geronimo server. Perform the following > configuration for your browsers. Note that the resources on Geronimo server > can only be accessible by the domain name of the Geronimo server, and the > client machines must be the members of Domain. > Enable SPNEGO authentication in Microsoft Internet Explorer browser > > 1. In the Internet Explorer windows, click *Tools>Internet > Options>Security* tab. > 2. Select the *Local Intranet* icon and click *Sites*. > 3. Make sure all check boxes are selected in the *Local Intranet*windows, > then click > *Advanced* button. > 4. Add the URI name of the Geronimo server for example _ > http://test.xyz.com_ into the list Web sites so that the Single > Sign-On (SSO) can be enabled, then click *OK* to complete this step > and close the *Local intranet* window. > 5. On the *Internet Options* windows, click the *Advanced* tab and go > to *Security settings*. Make sure *Enable Integrated Windows > Authentication(requires restart)* check box is selected, then click *OK > * to close all windows. > 6. Restart your Microsoft Internet Explorer to activate the > configuration. > > Enable SPNEGO authentication in Firefox > > 1. In the URL address bar of your Firefox browser, type *about:config*and > press the Enter key. > 2. In the following windows, type *network.nego* in the *Filters*. > 3. Double click *network.negotiate-auth.trusted-uris* and add > http://,https:// in the pop-up window, then click *OK* to close the > window. > 4. Double click *network.negotiate-auth.delegation-ruis* and add > http://,https:// in the pop-up window, then click *OK* to close the > window. > 5. Restart your Firefox to activate the configuration. > > Setting up the Geronimo server > > 1. Copy the Keroes keytab file krb5.keytab to one of directories of > your Geronimo Server. The file was created during Setting up the > Domain Controller > Machine<https://cwiki.apache.org/confluence#UsingSPNEGOinGeronimo-SettinguptheDomainControllerMachine> > . > 2. Create a basic Kerbeores configuration file named krb5.ini in order > to use the SPNEGO for the server. The files should be stored on local > server and with the following keys list defining the Kerberoes key > distribution center(KDC) name and the realm setting for the SPNEGO > authentication. > *krb5.ini* > > > [libdefaults] > default_realm = XYZ.COM > default_keytab_name = FILE:c:\winnt\krb5.keytab > default_tkt_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc > default_tgs_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc > forwardable=true > [realms] > XYZ.COM = { > kdc = domaincontroller.xyz.com:88 > default_domain = xyz.com > } > [domain_realm] > xyz.com= XYZ.COM > .xyz.com = XYZ.COM > > 3. Configure JVM properties with the following key pairs to make sure > the JVM read the Kerberoes configurations successfully. > > set JAVA_OPTS=-Djava.security.krb5.conf=C:\winnt\krb5.ini > -Dcom.ibm.security.jgss.debug=all -Dcom.ibm.security.krb5.Krb5Debug=all > -Djavax.security.auth.useSubjectCredsOnly=false > 4. Create a system-scope realm for the Geronimo server as followed. > The sample code is a combination of SPNEGO and .properties file realms in > order that the authentication will fall back on .Properties realm once the > SPNEGO authentication fails. You can remove the .properties file realm if > unnecessary. > *spnego_properties_realm.xml* > > <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2"> > <environment> > <moduleId> > <groupId>console.realm</groupId> > <artifactId>SpnegoTest</artifactId> > <version>1.0</version> > <type>car</type> > </moduleId> > <dependencies> > <dependency> > <groupId>org.apache.geronimo.framework</groupId> > <artifactId>j2ee-security</artifactId> > <type>car</type> > </dependency> > </dependencies> > </environment> > > <!-- > The ConfigEntry and KerberosLoginModule GBeans are not needed on IBM > JVM. > --> > > <gbean name="ConfigEntry" > class="org.apache.geronimo.security.jaas.DirectConfigurationEntry" > xsi:type="dep:gbeanType" > xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> > <attribute > name="applicationConfigName">com.sun.security.jgss.accept</attribute> > <attribute name="controlFlag">REQUIRED</attribute> > <reference name="Module"> > <name>KerberosLoginModule</name> > </reference> > </gbean> > > <gbean name="KerberosLoginModule" > class="org.apache.geronimo.security.jaas.LoginModuleGBean" > xsi:type="dep:gbeanType" > xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> > <attribute > name="loginModuleClass">org.apache.geronimo.security.realm.providers.KerberosLoginModule</attribute> > <attribute name="loginDomainName">unspecified</attribute> > <attribute name="options"> > krb5LoginModuleClass=com.sun.security.auth.module.Krb5LoginModule > krb_debug=true > krb_useKeyTab=true > krb_storeKey=true > krb_doNotPrompt=true > krb_isInitiator=false > krb_keyTab=c:/winnt/krb5.keytab > krb_principal=HTTP/[email protected] > </attribute> > </gbean> > > <gbean name="SpnegoTest" > class="org.apache.geronimo.security.realm.GenericSecurityRealm" > xsi:type="dep:gbeanType" > xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> > <attribute name="realmName">SpnegoTest</attribute> > <reference name="ServerInfo"> > <name>ServerInfo</name> > </reference> > <xml-reference name="LoginModuleConfiguration"> > <log:login-config > xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0"> > <log:login-module control-flag="SUFFICIENT" > wrap-principals="false"> > > <log:login-domain-name>SpnegoTest</log:login-domain-name> > > <log:login-module-class>org.apache.geronimo.security.realm.providers.SpnegoLoginModule</log:login-module-class> > <log:option > name="targetName">HTTP/test.xyz.com</log:option> > <log:option > name="ldapUrl">ldap://domaincontroller.xyz.com:389</log:option> > <log:option name="ldapLoginName">testuser</log:option> > <log:option > name="ldapLoginPassword">testuser123</log:option> > <log:option > name="searchBase">DC=xyz,DC=com</log:option> > </log:login-module> > <log:login-module control-flag="SUFFICIENT" > wrap-principals="false"> > > <log:login-domain-name>demo-properties-realm</log:login-domain-name> > > <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class> > <log:option > name="usersURI">var/security/demo_users.properties</log:option> > <log:option > name="groupsURI">var/security/demo_groups.properties</log:option> > </log:login-module> > </log:login-config> > </xml-reference> > </gbean></module> > > 5. Configure the deployment plan of your application to make sure the > SPNEGO realm is invoked properly. See the sample code below for reference. > *geronimo-web.xml* > > <?xml version="1.0" encoding="UTF-8"?> > <web:web-app > xmlns:app="http://geronimo.apache.org/xml/ns/j2ee/application-2.0" > xmlns:client="http://geronimo.apache.org/xml/ns/j2ee/application-client-2.0" > xmlns:conn="http://geronimo.apache.org/xml/ns/j2ee/connector-1.2" > xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" > xmlns:ejb="http://openejb.apache.org/xml/ns/openejb-jar-2.2" > xmlns:name="http://geronimo.apache.org/xml/ns/naming-1.2" > xmlns:pers="http://java.sun.com/xml/ns/persistence" > xmlns:pkgen="http://openejb.apache.org/xml/ns/pkgen-2.1" > xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0" > xmlns:web="http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1"> > <dep:environment> > <dep:moduleId> > <dep:groupId>com.mycompany.samples</dep:groupId> > <dep:artifactId>security-demo</dep:artifactId> > <dep:version>2.2.1</dep:version> > <dep:type>war</dep:type> > </dep:moduleId> > <dep:dependencies/> > <dep:hidden-classes> > <dep:filter> > org.apache.geronimo.security.realm.providers.SpnegoLoginModule > </dep:filter> > </dep:hidden-classes> > <dep:non-overridable-classes/> > </dep:environment> > <web:context-root>/demo</web:context-root> > <web:security-realm-name>SpnegoTest</web:security-realm-name> > <sec:security> > <sec:role-mappings> > <sec:role role-name="content-administrator"> > <sec:principal > class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" > name="Domain Admins"/> > <sec:principal > class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" > name="[email protected]"/> > </sec:role> > <sec:role role-name="Guest-administrator"> > <sec:principal > class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" > name="Domain Admins"/> > </sec:role> > </sec:role-mappings> > </sec:security></web:web-app> > > 6. Configure the deployment descriptor to make sure your application > uses SPNEGO authentication and the respective realm provider that Geronimo > server supports. > *excerpt of web.xml* > > <?xml version="1.0" encoding="ISO-8859-1"?> > ... > <login-config> > <auth-method>SPNEGO</auth-method> > <realm-name>SpnegoTest</realm-name> > ... > </login-config> > > > Few very important points to note > > - Make sure that you use Basic as the authentication mechanism in your > web application if you want to configure Spnego with geronimo. > - The realm provided is a combination of 2 login modules which can be > easily created through geronimo administrative console. > - While you are creating a security realm for Spnego loginmodule you > need to just specify one option that will be of the form > "targetName=HTTP/<fully_qualified_host_name>". Have a look at the sample > realm. This will give you an idea of the option to be used. > - Make sure you choose sufficient as the control-flag while creating > the 2 login modules. > - Make sure you map only one user to SPN as defined in #2 of "Setting > up the Active Directory Domain Controller". > > Change Notification > Preferences<https://cwiki.apache.org/confluence/users/viewnotifications.action> > View > Online<https://cwiki.apache.org/confluence/display/GMOxDOC22/Using+SPNEGO+in+Geronimo>| > View > Changes<https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=21791714&revisedVersion=7&originalVersion=6>| > Add > Comment<https://cwiki.apache.org/confluence/display/GMOxDOC22/Using+SPNEGO+in+Geronimo?showComments=true&showCommentArea=true#addcomment> > -- Best Regards Gary
