I need to configure JBoss EAP 6.3 to understand Kerberos authentication.
My environment consists of:
I have already tried lots of examples, but none of them work. Basically I did everything according this document: RedHat JBoss 6.3 Kerberos
and this document: JBoss blog RadoslawRodak
and this document: JBoss developer blog
And everything I get from testing servlet (jboss-negotiation-toolkit) is this message: WARN [org.jboss.security.auth.spi.AbstractServerLoginModule] (http-/172.27.185.220:8080-1) Unsupported negotiation mechanism 'NTLM'
Does anyone went all through this and solved it somehow?
Thank you in advance, Josef
Take a look at my SPNEGO demo project https://github.com/kwart/spnego-demo
Try to make it working with the linked kerberos-using-apacheds project.
If you can successfully authenticate against the ApacheDS Kerberos, try to change the configuration ( krb5.conf
and the Krb5LoginModule
options in the host
security domain) to use your Active Directory for authentication.
Common pitfall is a wrong SPN name . The service principal has to be in form HTTP/hostname@REALM
(eg HTTP/www.my-company.com@MY-COMPANY.COM
)
You could find some other hints in my older presentation - http://www.slideshare.net/josef.cacek/dev-conf2013-ltkerberosas7
Thank you all. As I said before, we finally made it. Our solution was:
0) Client computer must be in domain, provided domain credentials are not enough.
Create key table (for 2008 server was critical kvno 0):
ktpass -out bbb.keytab -princ HTTP/bbb.cez.loc@CEZ.LOC -mapUser CEZ.LOC\bbb -mapOp set -pass password -ptype KRB5_NT_PRINCIPAL -kvno 0
ktab -k bbb.keytab -l -e -t
Keytab name: bbb.keytab
KVNO Timestamp Principal
0 1/1/70 1:00 AM HTTP/bbb.cez.loc@CEZ.LOC (23:RC4 with HMAC)
Stop JBoss and transfer it to the linux under configuration folder of JBoss. /opt/jboss-domain/standalone/configuration/bbb.keytab
1) JBoss config (standalone.xml)
<system-properties>
<property name="java.security.krb5.kdc" value="CEZ.LOC"/>
<property name="java.security.krb5.realm" value="CEZ.LOC"/>
<property name="java.net.debug" value="all"/>
<property name="sun.security.krb5.debug" value="true"/>
</system-properties>
<security-domain name="host" cache-type="default">
<authentication>
<login-module code="Kerberos" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal" value="HTTP/bbb.cez.loc@CEZ.LOC"/>
<module-option name="keyTab" value="/opt/jboss-domain/standalone/configuration/bbb.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="true"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
</login-module>
</authentication>
</security-domain>
2) Web App config:
web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted</web-resource-name>
<url-pattern>/rest/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>*</role-name>
</security-role>
jboss-web.xml:
<jboss-web>
<security-domain>java:/jaas/SPNEGO</security-domain>
<valve>
<class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>
</valve>
<context-root>kerberoes</context-root>
</jboss-web>
jboss-deployment-structure.xml:
<jboss-deployment-structure>
<deployment>
<dependencies>
<module name="org.jboss.security.negotiation" />
</dependencies>
</deployment>
</jboss-deployment-structure>
3) Restart Key distribution service on AD
4) Start JBoss
5) Add JBoss web server address to trusted hosts into the Internet settings under Intranet section. All works from that moment.
Rest Web App can use this to get valid credentials:
import java.text.SimpleDateFormat;
import java.util.Calendar;
import java.util.Date;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.core.Application;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
@Path("/ping")
public class Ping extends Application
{
@Context
private SecurityContext mySecurityContext;
@GET
public Response doGET()
{
try
{
Date now = Calendar.getInstance().getTime();
String reportDate = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss").format(now);
String returnString = "";
// return ok json
returnString = "Time: " + reportDate + "<br>\n";
returnString += "User: " +
mySecurityContext.getAuthenticationScheme() + " / " +
mySecurityContext.getUserPrincipal().getName() + "<br>\n";
return Response.status(200).entity(returnString).build();
}
catch (Exception e)
{
return Response.status(500).entity("Exception! " +
e.getMessage()).build();
}
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.