JBoss Negotiation in AS7
- 1. JBoss Negotiation in AS7
Get Kerberos authentication working
Josef Cacek
Senior QE Engineer, Red Hat
DevConf 2013
- 5. JBoss Negotiation
Negotiation (SPNEGO) support for JBoss AS
● protocols
● Kerberos
● NTLM
● components
● authenticator – a JBoss Web valve
● JAAS Login modules
● toolkit to check the configuration
- 8. standalone.xml – security domains (1)
<security-domain name="host" cache-type="default">
<authentication>
<login-module code="Kerberos" flag="required">
<module-option name="debug" value="true"/>
<module-option name="storeKey" value="true"/>
<module-option name="refreshKrb5Config" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="doNotPrompt" value="true"/>
<module option ‑ name="keyTab"
value="/path/to/http.keytab"/>
<module-option name="principal"
value="HTTP/localhost@JBOSS.ORG"/>
</login-module>
</authentication>
</security-domain>
- 9. standalone.xml – security domains (2)
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="required">
<module-option name="serverSecurityDomain"
value="host"/>
</login-module>
</authentication>
<mapping>
<mapping-module code="SimpleRoles" type="role">
<module-option name="jduke@JBOSS.ORG" value="Admin"/>
<module-option name="hnelson@JBOSS.ORG" value="User"/>
</mapping-module>
</mapping>
</security-domain>
- 10. standalone.xml – Kerberos related system properties
<system-properties>
<property
name="java.security.krb5.conf"
value="/path/to/krb5.conf"/>
<property
name="java.security.krb5.debug"
value="true"/>
<property
name="jboss.security.disable.secdomain.option"
value="true"/>
</system-properties>
- 13. WEB-INF/web.xml
define your security constraints and roles
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Data</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>Admin</role-name>
</security-role>
- 14. security domain
custom authenticator
<jboss-web>
<security-domain>SPNEGO</security-domain>
<valve>
<class name‑ >org.jboss.security.negoti
ation.NegotiationAuthenticator</class-name>
</valve>
</jboss-web>
WEB-INF/jboss-web.xml
- 17. krb5.conf
configure the realm
[libdefaults]
default_realm = MY-COMPANY.CZ
[realms]
MY-COMPANY.CZ = {
kdc = kerberos.my-company.cz:688
}
[domain_realm]
.my-company.cz = MY-COMPANY.CZ
Use KRB5_CONFIG environment variable if you don't
want to change system wide /etc/krb5.conf
$ export KRB5_CONFIG=/path/to/krb5.conf
- 18. Browser configuration – allow negotiation for the domain
Firefox – use about:config in the address bar
network.negotiate-auth.delegation-uris=.my-company.cz
network.negotiate-auth.trusted-uris =.my-company.cz
Chromium
$ chromium-browser
> --auth-server-whitelist=.my-company.cz
> --auth-negotiate-delegate-whitelist=.my-company.cz
- 20. Pitfalls – principal names
The Service Principal Name (SPN) must follow the rule
<service type> / <hostname> @ <realm>
For the request
http://my-server.my-company.cz/
use SPN:
HTTP/my-server.my-company.cz@MYCOMP.CZ
Mixing IPs and hostnames usually doesn't work:
HTTP/localhost@MYCOMP.CZ
http://127.0.0.1/
- 21. Pitfalls - IPv6
HTTP:
● http://[0:0:0:0:0:0:0:1]:8080/my-app/
● HTTP/[0:0:0:0:0:0:0:1]@JBOSS.ORG
LDAP (can be used for role-mapping):
● ldap://[0:0:0:0:0:0:0:1]:389
● ldap/0:0:0:0:0:0:0:1@JBOSS.ORG
- 22. Pitfalls - IBM Java
host's login module
<login-module
code="com.ibm.security.auth.module.Krb5LoginModule"
flag="required" >
● module options are not the same!
krb5.conf – check [libdefaults] section
● encryption support
● default_tgs_enctypes
● default_tkt_enctypes
● allow_weak_crypto
● forwardable ticktet when a client uses Krb5LoginModule
● forwardable = true