[
http://jira.nuxeo.org/browse/NXP-616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=47829#action_47829
]
Karoly Molnar commented on NXP-616:
-----------------------------------
Hi,
As far as I understand there are two ways to use Kerberos as authentication
back-end:
1. You request the credentials from the user (username and password) and check
them against the Kerberos server. You can get the credentials with the http
basic auth or form based method or by any other means and then you check them
against the Kerberos server.
With this method we end up something like the LDAP back-end module, where you
use the existing form based or basic http auth modules as front-end to get the
credentials and then check them against the Kerberos back-end. There's no
GSS-API involved in this version.
2. You request the user's Kerberos "stuff" via HTTP header and check that
against the Kerberos server. Here you don't get possession of the username and
the password. You are working with your own and the user's Kerberos "stuff" and
finally you end up with an authenticated user. At this point you can trust that
the person who made the request is who he is and its name is going to be in
this form: usern...@realm. Then the user properties needs to be looked up,
name, mail, etc... in some other back-end, SQL, LDAP, etc...
With this method we end up something like the form-based or the basic HTTP
authentication front-end modules.
In this case one needs to create a "HTTP/fqdn_hostname" principal in Kerberos
and export it to a keytab readable by the web server which will then be used
for authenticating the nuxeo service against Kerberos.
The negotiation must be enabled in the client's browser too. In FF you can do
this by going to default:config -> filter:network.negotiate-auth.trusted-uris
and putting the address of the web server in the property.
This is what happens:
- Browser makes the request
- Web server comes back with 401 Unauthorized and WWW-Authenticate: Negotiate
in the header
- Browser does the Kerberos magic and sends Authorization: Negotiate with some
Kerberos binary data (this is supported by FF an IE and does not require any
coding, it is magic ;-)
- Web server talks to the Kerberos server and finally end up with either an
authenticated or a not authenticated user
- Web server replies to client with a valid page or with auth failure
Sample request captured by Live headers in FF:
http://fates.acme1.fossonline.org/
GET / HTTP/1.1
Host: fates.acme1.fossonline.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1)
Gecko/2008072820 Firefox/3.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: JSESSIONID=6C361F85B185DF0FC678257A7F9DB73C
HTTP/1.x 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate
Content-Length: 40
Date: Mon, 29 Dec 2008 14:58:09 GMT
----------------------------------------------------------
http://fates.acme1.fossonline.org/
GET / HTTP/1.1
Host: fates.acme1.fossonline.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1)
Gecko/2008072820 Firefox/3.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: JSESSIONID=6C361F85B185DF0FC678257A7F9DB73C
Authorization: Negotiate
YIIChAYGKwYBBQUCoIICeDCCAnSgHzAdBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgKiggJPBIICS2CCAkcGCSqGSIb3EgECAgEAboICNjCCAjKgAwIBBaEDAgEOogcDBQAAAAAAo4IBRmGCAUIwggE+oAMCAQWhFhsUQUNNRTEuRk9TU09OTElORS5PUkeiLTAroAMCAQOhJDAiGwRIVFRQGxpmYXRlcy5hY21lMS5mb3Nzb25saW5lLm9yZ6OB7zCB7KADAgEQoQMCAQOigd8Egdwxpn/ePj6koOU9OvnoucB5GbSxOgi+JZ/MvMd9i7Qfqts9g0MlbDybfQgMC234rJWGAVyWtT26guutHTpijGTD7JJKHHsxJvqoNv5LczB/qLXLLmJD7KME2oPU5ZH5WzWioy/XJi1lXwnevVDV3xiXxUSkQD5b/AXbJt+9ARsspqRtFzLWmCCRtUguA0MJrE0hvzx+JsMXQg8eCKT6rhPxj9P8Ggl9yVqAS+R6GTOnqlO0z3c10MJd5kmkcHLb5C2PQj0yQJrbhGDTSQT+HvJXM+yaEU2KKv77jUZZpIHSMIHPoAMCARCigccEgcR7Vs2Po2HHGldfD6P0UpXesCfY4UNTOXH/BSFTINQYhAMeR5lloCRh7WboimWRylrj4pxW6ARA7Ys+YbDlsMeSt8xOZ/8eFgRiNQ9Ji2U8djaGy+abqjHVmuwR0ou9s85ZmXCtxwfUVAUKkfNeCMTiA9JQjzgI34XNY1iYvqgYzfWH4gEvrL0a7oEflaRSfrd0a8yKkpvhdqDlEU/ay+kbWhREwGUdBb2Wfm1/ayqH7fkABFJBW43g69ONonZH+37tZFhl
HTTP/1.x 200 OK
Server: Apache-Coyote/1.1
Etag: W/"138-1219713054000"
Last-Modified: Tue, 26 Aug 2008 01:10:54 GMT
Content-Type: text/html
Content-Length: 138
Date: Mon, 29 Dec 2008 14:58:09 GMT
More info on actually what happens in the background can be found on wikipedia:
http://en.wikipedia.org/wiki/Kerberos_(protocol)#Protocol
As far as I see these two methods cannot be put into one module since 1 seems
to be more a back-end functionality and 2 seems to be front-end and partial
back-end functionalities.
It seems to me that you are intended to implement method 1. We need method 2.
;-)
Any comment? How can we help?
Happy Holidays and New Year,
Karoly
> Implement a login module for krb5
> ---------------------------------
>
> Key: NXP-616
> URL: http://jira.nuxeo.org/browse/NXP-616
> Project: Nuxeo Enterprise Platform
> Issue Type: New Feature
> Reporter: Jean-Marc Orliaguet
> Assignee: Jean-Marc Orliaguet
> Fix For: 5.2 M4
>
> Original Estimate: 2 days
> Remaining Estimate: 2 days
>
> Add a login module for kerberos using GSS-API.
> possible namespace: org.nuxeo.ecm.platform.login.krb5
> this could also be based on a generic JAAS authentication module
> (org.nuxeo.ecm.platform.login.jaas) since only the configuration files
> differs.
> ref:
> http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/AcnOnly.html
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.nuxeo.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
ECM-tickets mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets
