Post on 05-Dec-2014
description
JBoss Negotiation in AS7Get Kerberos authentication working
Josef CacekSenior QE Engineer, Red HatDevConf 2013
Agenda
Technologies introduction Quickstart Configuration Troubleshooting
Introduction: Kerberos
ticket based network authentication protocol
JBoss Negotiation
Negotiation (SPNEGO) support for JBoss AS ● protocols
● Kerberos● NTLM
● components● authenticator – a JBoss Web valve● JAAS Login modules● toolkit to check the configuration
Quickstart
https://github.com/kwart/spnego-demo
https://github.com/kwart/kerberos-using-apacheds
JBoss AS configuration
$JBOSS_HOME/standalone/configuration/standalone.xml
standalone.xml – security domains (1)
<security-domain name="host" cache-type="default"> <authentication> <login-module code="Kerberos" flag="required"> <module-option name="debug" value="true"/> <module-option name="storeKey" value="true"/> <module-option name="refreshKrb5Config" value="true"/> <module-option name="useKeyTab" value="true"/> <module-option name="doNotPrompt" value="true"/> <module option ‑ name="keyTab" value="/path/to/http.keytab"/> <module-option name="principal" value="HTTP/localhost@JBOSS.ORG"/> </login-module> </authentication></security-domain>
standalone.xml – security domains (2)
<security-domain name="SPNEGO" cache-type="default">
<authentication> <login-module code="SPNEGO" flag="required"> <module-option name="serverSecurityDomain" value="host"/> </login-module> </authentication>
<mapping> <mapping-module code="SimpleRoles" type="role"> <module-option name="jduke@JBOSS.ORG" value="Admin"/> <module-option name="hnelson@JBOSS.ORG" value="User"/> </mapping-module> </mapping>
</security-domain>
standalone.xml – Kerberos related system properties
<system-properties> <property name="java.security.krb5.conf" value="/path/to/krb5.conf"/> <property name="java.security.krb5.debug" value="true"/> <property name="jboss.security.disable.secdomain.option" value="true"/></system-properties>
Web application configuration
WAR – Web archive
WEB-INF/web.xml
define your security constraints and roles
<security-constraint> <web-resource-collection> <web-resource-name>Admin Data</web-resource-name> <url-pattern>/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>Admin</role-name> </auth-constraint></security-constraint>
<security-role> <role-name>Admin</role-name></security-role>
security domain custom authenticator
<jboss-web> <security-domain>SPNEGO</security-domain> <valve> <class name‑ >org.jboss.security.negotiation.NegotiationAuthenticator</class-name> </valve></jboss-web>
WEB-INF/jboss-web.xml
META-INF/jboss-deployment-structure.xml
define module dependencies
<jboss-deployment-structure> <deployment> <dependencies> <module name="org.jboss.security.negotiation" /> </dependencies> </deployment></jboss-deployment-structure>
Client configuration
krb5.conf
configure the realm
[libdefaults]default_realm = MY-COMPANY.CZ
[realms]MY-COMPANY.CZ = {
kdc = kerberos.my-company.cz:688}
[domain_realm].my-company.cz = MY-COMPANY.CZ
Use KRB5_CONFIG environment variable if you don't want to change system wide /etc/krb5.conf
$ export KRB5_CONFIG=/path/to/krb5.conf
Browser configuration – allow negotiation for the domain
Firefox – use about:config in the address bar
network.negotiate-auth.delegation-uris=.my-company.cznetwork.negotiate-auth.trusted-uris =.my-company.cz
Chromium
$ chromium-browser \> --auth-server-whitelist=.my-company.cz \> --auth-negotiate-delegate-whitelist=.my-company.cz
And if it still doesn't work …
Pitfalls – principal names
The Service Principal Name (SPN) must follow the rule<service type> / <hostname> @ <realm>
For the request
http://my-server.my-company.cz/
use SPN:HTTP/my-server.my-company.cz@MYCOMP.CZ
Mixing IPs and hostnames usually doesn't work:
HTTP/localhost@MYCOMP.CZhttp://127.0.0.1/
Pitfalls - IPv6
HTTP:● http://[0:0:0:0:0:0:0:1]:8080/my-app/● HTTP/[0:0:0:0:0:0:0:1]@JBOSS.ORG
LDAP (can be used for role-mapping):● ldap://[0:0:0:0:0:0:0:1]:389● ldap/0:0:0:0:0:0:0:1@JBOSS.ORG
Pitfalls - IBM Java
host's login module<login-module code="com.ibm.security.auth.module.Krb5LoginModule" flag="required" >
● module options are not the same! krb5.conf – check [libdefaults] section● encryption support
● default_tgs_enctypes● default_tkt_enctypes● allow_weak_crypto
● forwardable ticktet when a client uses Krb5LoginModule● forwardable = true
Thank you.