SlideShare a Scribd company logo

JBoss Negotiation in AS7

Josef Cacek
Josef Cacek

This document provides an overview of configuring Kerberos authentication for JBoss Application Server 7 (AS7). It discusses the necessary technologies, including Kerberos and SPNEGO. It then describes how to configure the JBoss AS for Kerberos authentication through standalone.xml, set up a sample web application with security constraints, and configure clients. Several common pitfalls are also outlined, such as ensuring service principal names follow the correct format and properly configuring IPv6 and IBM Java implementations.

Related slideshows

WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
 
WildFly BOF and V9 update @ Devoxx 2014
WildFly BOF and V9 update @ Devoxx 2014WildFly BOF and V9 update @ Devoxx 2014
WildFly BOF and V9 update @ Devoxx 2014
 
J boss
J bossJ boss
J boss
 
1 of 23
Download to read offline
JBoss Negotiation in AS7 Get Kerberos authentication working Josef Cacek Senior QE Engineer, Red Hat DevConf 2013
Agenda  Technologies introduction  Quickstart  Configuration  Troubleshooting
JBoss Negotiation in AS7
Introduction: Kerberos  ticket based network authentication protocol
JBoss Negotiation  Negotiation (SPNEGO) support for JBoss AS ● protocols ● Kerberos ● NTLM ● components ● authenticator – a JBoss Web valve ● JAAS Login modules ● toolkit to check the configuration
Quickstart https://github.com/kwart/spnego-demo https://github.com/kwart/kerberos-using-apacheds
JBoss AS configuration $JBOSS_HOME/standalone/configuration/standalone.xml
standalone.xml – security domains (1) <security-domain name="host" cache-type="default"> <authentication>     <login-module code="Kerberos" flag="required">       <module-option name="debug" value="true"/>       <module-option name="storeKey" value="true"/>       <module-option name="refreshKrb5Config" value="true"/>       <module-option name="useKeyTab" value="true"/>       <module-option name="doNotPrompt" value="true"/>       <module option ‑ name="keyTab"         value="/path/to/http.keytab"/>       <module-option name="principal"         value="HTTP/localhost@JBOSS.ORG"/>     </login-module>   </authentication> </security-domain>
standalone.xml – security domains (2) <security-domain name="SPNEGO" cache-type="default"> <authentication>     <login-module code="SPNEGO" flag="required">       <module-option name="serverSecurityDomain"         value="host"/>     </login-module>   </authentication>   <mapping>     <mapping-module code="SimpleRoles" type="role">       <module-option name="jduke@JBOSS.ORG" value="Admin"/>       <module-option name="hnelson@JBOSS.ORG" value="User"/> </mapping-module>   </mapping> </security-domain>
standalone.xml – Kerberos related system properties <system-properties> <property name="java.security.krb5.conf" value="/path/to/krb5.conf"/> <property name="java.security.krb5.debug" value="true"/> <property name="jboss.security.disable.secdomain.option" value="true"/> </system-properties>
Web application configuration
WAR – Web archive
WEB-INF/web.xml  define your security constraints and roles <security-constraint>   <web-resource-collection>     <web-resource-name>Admin Data</web-resource-name>     <url-pattern>/admin/*</url-pattern>   </web-resource-collection>   <auth-constraint>     <role-name>Admin</role-name>   </auth-constraint> </security-constraint> <security-role>   <role-name>Admin</role-name> </security-role>
 security domain  custom authenticator <jboss-web> <security-domain>SPNEGO</security-domain> <valve>         <class name‑ >org.jboss.security.negoti ation.NegotiationAuthenticator</class-name> </valve> </jboss-web> WEB-INF/jboss-web.xml
META-INF/jboss-deployment-structure.xml  define module dependencies <jboss-deployment-structure> <deployment> <dependencies> <module name="org.jboss.security.negotiation" /> </dependencies> </deployment> </jboss-deployment-structure>
Client configuration
krb5.conf  configure the realm [libdefaults] default_realm = MY-COMPANY.CZ [realms] MY-COMPANY.CZ = { kdc = kerberos.my-company.cz:688 } [domain_realm] .my-company.cz = MY-COMPANY.CZ  Use KRB5_CONFIG environment variable if you don't want to change system wide /etc/krb5.conf $ export KRB5_CONFIG=/path/to/krb5.conf
Browser configuration – allow negotiation for the domain  Firefox – use about:config in the address bar network.negotiate-auth.delegation-uris=.my-company.cz network.negotiate-auth.trusted-uris =.my-company.cz  Chromium $ chromium-browser > --auth-server-whitelist=.my-company.cz > --auth-negotiate-delegate-whitelist=.my-company.cz
And if it still doesn't work …
Pitfalls – principal names  The Service Principal Name (SPN) must follow the rule <service type> / <hostname> @ <realm> For the request http://my-server.my-company.cz/ use SPN: HTTP/my-server.my-company.cz@MYCOMP.CZ  Mixing IPs and hostnames usually doesn't work: HTTP/localhost@MYCOMP.CZ http://127.0.0.1/
Pitfalls - IPv6  HTTP: ● http://[0:0:0:0:0:0:0:1]:8080/my-app/ ● HTTP/[0:0:0:0:0:0:0:1]@JBOSS.ORG  LDAP (can be used for role-mapping): ● ldap://[0:0:0:0:0:0:0:1]:389 ● ldap/0:0:0:0:0:0:0:1@JBOSS.ORG
Pitfalls - IBM Java  host's login module <login-module code="com.ibm.security.auth.module.Krb5LoginModule" flag="required" > ● module options are not the same!  krb5.conf – check [libdefaults] section ● encryption support ● default_tgs_enctypes ● default_tkt_enctypes ● allow_weak_crypto ● forwardable ticktet when a client uses Krb5LoginModule ● forwardable = true
Thank you.

More Related Content

JBoss Negotiation in AS7

  • 1. JBoss Negotiation in AS7 Get Kerberos authentication working Josef Cacek Senior QE Engineer, Red Hat DevConf 2013
  • 2. Agenda  Technologies introduction  Quickstart  Configuration  Troubleshooting
  • 4. Introduction: Kerberos  ticket based network authentication protocol
  • 5. JBoss Negotiation  Negotiation (SPNEGO) support for JBoss AS ● protocols ● Kerberos ● NTLM ● components ● authenticator – a JBoss Web valve ● JAAS Login modules ● toolkit to check the configuration
  • 8. standalone.xml – security domains (1) <security-domain name="host" cache-type="default"> <authentication>     <login-module code="Kerberos" flag="required">       <module-option name="debug" value="true"/>       <module-option name="storeKey" value="true"/>       <module-option name="refreshKrb5Config" value="true"/>       <module-option name="useKeyTab" value="true"/>       <module-option name="doNotPrompt" value="true"/>       <module option ‑ name="keyTab"         value="/path/to/http.keytab"/>       <module-option name="principal"         value="HTTP/localhost@JBOSS.ORG"/>     </login-module>   </authentication> </security-domain>
  • 9. standalone.xml – security domains (2) <security-domain name="SPNEGO" cache-type="default"> <authentication>     <login-module code="SPNEGO" flag="required">       <module-option name="serverSecurityDomain"         value="host"/>     </login-module>   </authentication>   <mapping>     <mapping-module code="SimpleRoles" type="role">       <module-option name="jduke@JBOSS.ORG" value="Admin"/>       <module-option name="hnelson@JBOSS.ORG" value="User"/> </mapping-module>   </mapping> </security-domain>
  • 10. standalone.xml – Kerberos related system properties <system-properties> <property name="java.security.krb5.conf" value="/path/to/krb5.conf"/> <property name="java.security.krb5.debug" value="true"/> <property name="jboss.security.disable.secdomain.option" value="true"/> </system-properties>
  • 12. WAR – Web archive
  • 13. WEB-INF/web.xml  define your security constraints and roles <security-constraint>   <web-resource-collection>     <web-resource-name>Admin Data</web-resource-name>     <url-pattern>/admin/*</url-pattern>   </web-resource-collection>   <auth-constraint>     <role-name>Admin</role-name>   </auth-constraint> </security-constraint> <security-role>   <role-name>Admin</role-name> </security-role>
  • 14.  security domain  custom authenticator <jboss-web> <security-domain>SPNEGO</security-domain> <valve>         <class name‑ >org.jboss.security.negoti ation.NegotiationAuthenticator</class-name> </valve> </jboss-web> WEB-INF/jboss-web.xml
  • 15. META-INF/jboss-deployment-structure.xml  define module dependencies <jboss-deployment-structure> <deployment> <dependencies> <module name="org.jboss.security.negotiation" /> </dependencies> </deployment> </jboss-deployment-structure>
  • 17. krb5.conf  configure the realm [libdefaults] default_realm = MY-COMPANY.CZ [realms] MY-COMPANY.CZ = { kdc = kerberos.my-company.cz:688 } [domain_realm] .my-company.cz = MY-COMPANY.CZ  Use KRB5_CONFIG environment variable if you don't want to change system wide /etc/krb5.conf $ export KRB5_CONFIG=/path/to/krb5.conf
  • 18. Browser configuration – allow negotiation for the domain  Firefox – use about:config in the address bar network.negotiate-auth.delegation-uris=.my-company.cz network.negotiate-auth.trusted-uris =.my-company.cz  Chromium $ chromium-browser > --auth-server-whitelist=.my-company.cz > --auth-negotiate-delegate-whitelist=.my-company.cz
  • 19. And if it still doesn't work …
  • 20. Pitfalls – principal names  The Service Principal Name (SPN) must follow the rule <service type> / <hostname> @ <realm> For the request http://my-server.my-company.cz/ use SPN: HTTP/my-server.my-company.cz@MYCOMP.CZ  Mixing IPs and hostnames usually doesn't work: HTTP/localhost@MYCOMP.CZ http://127.0.0.1/
  • 21. Pitfalls - IPv6  HTTP: ● http://[0:0:0:0:0:0:0:1]:8080/my-app/ ● HTTP/[0:0:0:0:0:0:0:1]@JBOSS.ORG  LDAP (can be used for role-mapping): ● ldap://[0:0:0:0:0:0:0:1]:389 ● ldap/0:0:0:0:0:0:0:1@JBOSS.ORG
  • 22. Pitfalls - IBM Java  host's login module <login-module code="com.ibm.security.auth.module.Krb5LoginModule" flag="required" > ● module options are not the same!  krb5.conf – check [libdefaults] section ● encryption support ● default_tgs_enctypes ● default_tkt_enctypes ● allow_weak_crypto ● forwardable ticktet when a client uses Krb5LoginModule ● forwardable = true