JBoss Negotiation in AS7

3,530 views

Published on

How to get Kerberos/SPNEGO authentication working in JBoss AS7 & EAP 6 (should be also valid for Wildfly).

Published in: Technology
  • Be the first to comment

JBoss Negotiation in AS7

  1. 1. JBoss Negotiation in AS7 Get Kerberos authentication working Josef Cacek Senior QE Engineer, Red Hat DevConf 2013
  2. 2. Agenda  Technologies introduction  Quickstart  Configuration  Troubleshooting
  3. 3. Introduction: Kerberos  ticket based network authentication protocol
  4. 4. JBoss Negotiation  Negotiation (SPNEGO) support for JBoss AS ● protocols ● Kerberos ● NTLM ● components ● authenticator – a JBoss Web valve ● JAAS Login modules ● toolkit to check the configuration
  5. 5. Quickstart https://github.com/kwart/spnego-demo https://github.com/kwart/kerberos-using-apacheds
  6. 6. JBoss AS configuration $JBOSS_HOME/standalone/configuration/standalone.xml
  7. 7. standalone.xml – security domains (1) <security-domain name="host" cache-type="default"> <authentication>     <login-module code="Kerberos" flag="required">       <module-option name="debug" value="true"/>       <module-option name="storeKey" value="true"/>       <module-option name="refreshKrb5Config" value="true"/>       <module-option name="useKeyTab" value="true"/>       <module-option name="doNotPrompt" value="true"/>       <module option ‑ name="keyTab"         value="/path/to/http.keytab"/>       <module-option name="principal"         value="HTTP/localhost@JBOSS.ORG"/>     </login-module>   </authentication> </security-domain>
  8. 8. standalone.xml – security domains (2) <security-domain name="SPNEGO" cache-type="default"> <authentication>     <login-module code="SPNEGO" flag="required">       <module-option name="serverSecurityDomain"         value="host"/>     </login-module>   </authentication>   <mapping>     <mapping-module code="SimpleRoles" type="role">       <module-option name="jduke@JBOSS.ORG" value="Admin"/>       <module-option name="hnelson@JBOSS.ORG" value="User"/> </mapping-module>   </mapping> </security-domain>
  9. 9. standalone.xml – Kerberos related system properties <system-properties> <property name="java.security.krb5.conf" value="/path/to/krb5.conf"/> <property name="java.security.krb5.debug" value="true"/> <property name="jboss.security.disable.secdomain.option" value="true"/> </system-properties>
  10. 10. Web application configuration
  11. 11. WAR – Web archive
  12. 12. WEB-INF/web.xml  define your security constraints and roles <security-constraint>   <web-resource-collection>     <web-resource-name>Admin Data</web-resource-name>     <url-pattern>/admin/*</url-pattern>   </web-resource-collection>   <auth-constraint>     <role-name>Admin</role-name>   </auth-constraint> </security-constraint> <security-role>   <role-name>Admin</role-name> </security-role>
  13. 13.  security domain  custom authenticator <jboss-web> <security-domain>SPNEGO</security-domain> <valve>         <class name‑ >org.jboss.security.negoti ation.NegotiationAuthenticator</class-name> </valve> </jboss-web> WEB-INF/jboss-web.xml
  14. 14. META-INF/jboss-deployment-structure.xml  define module dependencies <jboss-deployment-structure> <deployment> <dependencies> <module name="org.jboss.security.negotiation" /> </dependencies> </deployment> </jboss-deployment-structure>
  15. 15. Client configuration
  16. 16. krb5.conf  configure the realm [libdefaults] default_realm = MY-COMPANY.CZ [realms] MY-COMPANY.CZ = { kdc = kerberos.my-company.cz:688 } [domain_realm] .my-company.cz = MY-COMPANY.CZ  Use KRB5_CONFIG environment variable if you don't want to change system wide /etc/krb5.conf $ export KRB5_CONFIG=/path/to/krb5.conf
  17. 17. Browser configuration – allow negotiation for the domain  Firefox – use about:config in the address bar network.negotiate-auth.delegation-uris=.my-company.cz network.negotiate-auth.trusted-uris =.my-company.cz  Chromium $ chromium-browser > --auth-server-whitelist=.my-company.cz > --auth-negotiate-delegate-whitelist=.my-company.cz
  18. 18. And if it still doesn't work …
  19. 19. Pitfalls – principal names  The Service Principal Name (SPN) must follow the rule <service type> / <hostname> @ <realm> For the request http://my-server.my-company.cz/ use SPN: HTTP/my-server.my-company.cz@MYCOMP.CZ  Mixing IPs and hostnames usually doesn't work: HTTP/localhost@MYCOMP.CZ http://127.0.0.1/
  20. 20. Pitfalls - IPv6  HTTP: ● http://[0:0:0:0:0:0:0:1]:8080/my-app/ ● HTTP/[0:0:0:0:0:0:0:1]@JBOSS.ORG  LDAP (can be used for role-mapping): ● ldap://[0:0:0:0:0:0:0:1]:389 ● ldap/0:0:0:0:0:0:0:1@JBOSS.ORG
  21. 21. Pitfalls - IBM Java  host's login module <login-module code="com.ibm.security.auth.module.Krb5LoginModule" flag="required" > ● module options are not the same!  krb5.conf – check [libdefaults] section ● encryption support ● default_tgs_enctypes ● default_tkt_enctypes ● allow_weak_crypto ● forwardable ticktet when a client uses Krb5LoginModule ● forwardable = true
  22. 22. Thank you.

×