geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zhi Xie <daxie...@gmail.com>
Subject Re: [CONF] Apache Geronimo v2.2 > Using SPNEGO in Geronimo
Date Thu, 20 Jun 2013 05:50:03 GMT
learn a lot. thanks


2013/6/19 <confluence@apache.org>

>    Using SPNEGO in Geronimo<https://cwiki.apache.org/confluence/display/GMOxDOC22/Using+SPNEGO+in+Geronimo>
Page
> *edited* by Jarek Gawor<https://cwiki.apache.org/confluence/display/~gawor>
> Changes (7)
>  ...
>  -->
>
> <gbean name="ConfigEntry"
> class="org.apache.geronimo.security.jaas.DirectConfigurationEntry" xsi:type="dep:gbeanType"
> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance">
>  xsi:type="dep:gbeanType" xmlns:dep="
> http://geronimo.apache.org/xml/ns/deployment-1.2"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>  <attribute
> name="applicationConfigName">com.sun.security.jgss.accept</attribute>
> <attribute name="controlFlag">REQUIRED</attribute>
> ...
>  </gbean>
>
> <gbean name="KerberosLoginModule"
> class="org.apache.geronimo.security.jaas.LoginModuleGBean" xsi:type="dep:gbeanType"
> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance">
>  xsi:type="dep:gbeanType" xmlns:dep="
> http://geronimo.apache.org/xml/ns/deployment-1.2"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>  <attribute
> name="loginModuleClass">org.apache.geronimo.security.realm.providers.KerberosLoginModule</attribute>
>
> <attribute name="loginDomainName">unspecified</attribute>
> ...
>  </gbean>
>
> <gbean name="SpnegoTest"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
> xsi:type="dep:gbeanType"
>  xsi:type="dep:gbeanType" xmlns:dep="
> http://geronimo.apache.org/xml/ns/deployment-1.2"
> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance">
>  <attribute name="realmName">SpnegoTest</attribute>
> <reference name="ServerInfo">
> ...
>  Full Content
> <https://cwiki.apache.org/confluence/display/GMOxDOC22/Replacing+default+Realm+in+Geronimo>Replacing
> default Realm in Geronimo<https://cwiki.apache.org/confluence/display/GMOxDOC22/Replacing+default+Realm+in+Geronimo>
>  <https://cwiki.apache.org/confluence/display/GMOxDOC22/Administering+Security>Administering
> Security<https://cwiki.apache.org/confluence/display/GMOxDOC22/Administering+Security>
>
>
> Using the Simple and Protected GSS-API Negotiation Mechanism(SPNEGO)<ftp://ftp.isi.edu/in-notes/rfc2478.txt>in
Geronimo allows HTTP users to log in and authenticate only once in their
> desktop, then they can receive automatic authentication from the Geronimo
> server. Note that the feature is only supported in Geronimo 2.2.1 or later
> versions.
>
>    - Prerequisite<https://cwiki.apache.org/confluence#UsingSPNEGOinGeronimo-Prerequisite>
>    - Procedure<https://cwiki.apache.org/confluence#UsingSPNEGOinGeronimo-Procedure>
>       - Setting up the Domain Controller Machine<https://cwiki.apache.org/confluence#UsingSPNEGOinGeronimo-SettinguptheDomainControllerMachine>
>       - Setting up the Client Application Machine<https://cwiki.apache.org/confluence#UsingSPNEGOinGeronimo-SettinguptheClientApplicationMachine>
>          - Enable SPNEGO authentication in Microsoft Internet Explorer
>          browser<https://cwiki.apache.org/confluence#UsingSPNEGOinGeronimo-EnableSPNEGOauthenticationinMicrosoftInternetExplorerbrowser>
>          - Enable SPNEGO authentication in Firefox<https://cwiki.apache.org/confluence#UsingSPNEGOinGeronimo-EnableSPNEGOauthenticationinFirefox>
>       - Setting up the Geronimo server<https://cwiki.apache.org/confluence#UsingSPNEGOinGeronimo-SettinguptheGeronimoserver>
>    - Few very important points to note<https://cwiki.apache.org/confluence#UsingSPNEGOinGeronimo-Fewveryimportantpointstonote>
>
> Prerequisite
>
> Using the SPNEGO requires three distinct machines:
>
>    - A Microsoft Windows 2000 or Windows 2003 Server running the Active
>    Directory Domain Controller and associated Kerberos Key Distribution
>    Center(KDC)
>    - A domain member with internet browsers for example, a Microsoft
>    Internet Explorer or Firefox browser
>    - A server Platform with Geronimo running
>
> Note that the clock on clients, Microsoft Active Directory Domain
> Controller and Geronimo server must be synchronized to within five minutes,
> and they must be within the same domain.
> Procedure Setting up the Domain Controller Machine
>
>    1. Create a user account in the active directory. Make sure that the
>    user you create is unique and not listed in Computers or domain
>    controllers. This account will be eventually mapped to the Kerberoes
>    service principal name(SPN).
>    2. Map the user account to the SPN with the command *setspn*.
>    Typically, A SPN looks like *HTTP/<Fully_Qualified_Host_Name>*. Make
>    sure that you do not have the same SPNs mapping to more than one Microsoft
>    user account. If you map the same SPN to more than one user account, the
>    web browser client can send a NT LAN Manager(NTLM)<http://en.wikipedia.org/wiki/NTLM>authentication
request instead of SPNEGO token to Geronimo server. See Windows
>    2003 Technical Reference (setspn command)<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/b3a029a1-7ff0-4f6f-87d2-f2e70294a576.mspx>for
more usages of the command.
>
>    setspn -A HTTP/test.xyz.com testuser.
>
>    Where
>     - *testuser* is the user account created in step1
>       - *HTTP/test.xyz.com* is the unique SPN mapped with *testuser*, *
>       test.xyz.com* is the host name of Geronimo server.
>     3. Create the Kereros keytab file(krb5.keytab) with the command *
>    ktpass* and make the file available to Geronimo server by copying it
>    from the Domain Controller to the Geronimo server. See Windows 2003
>    Technical Reference (ktpass command)<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/64042138-9a5a-4981-84e9-d576a8db0d05.mspx>for
more usages of the command.
>
>    ktpass -out c:\winnt\krb5.keytab -princ HTTP/test.xyz.com@XYZ.COM-mapUser testuser
-mapOp set -pass testuser123 -crypto RC4-HMAC-NT -pType
>    KRB5_NT_PRINCIPAL
>
>    where
>     - *HTTP/test.xyz.com@XYZ.COM* is the concatenation of the user logon
>       name, and the realm name which must be in uppercase.
>       - *testuser* is the user account for mapping.
>       - *testuser123* is the password of the user *testuser*.
>
> Setting up the Client Application Machine
>
> On client machines, the Web browsers are responsible for generating the
> SPNEGO token for user by the Geronimo server. Perform the following
> configuration for your browsers. Note that the resources on Geronimo server
> can only be accessible by the domain name of the Geronimo server, and the
> client machines must be the members of Domain.
> Enable SPNEGO authentication in Microsoft Internet Explorer browser
>
>    1. In the Internet Explorer windows, click *Tools>Internet
>    Options>Security* tab.
>    2. Select the *Local Intranet* icon and click *Sites*.
>    3. Make sure all check boxes are selected in the *Local Intranet*windows, then click
>    *Advanced* button.
>    4. Add the URI name of the Geronimo server for example _
>    http://test.xyz.com_ into the list Web sites so that the Single
>    Sign-On (SSO) can be enabled, then click *OK* to complete this step
>    and close the *Local intranet* window.
>    5. On the *Internet Options* windows, click the *Advanced* tab and go
>    to *Security settings*. Make sure *Enable Integrated Windows
>    Authentication(requires restart)* check box is selected, then click *OK
>    * to close all windows.
>    6. Restart your Microsoft Internet Explorer to activate the
>    configuration.
>
> Enable SPNEGO authentication in Firefox
>
>    1. In the URL address bar of your Firefox browser, type *about:config*and press the
Enter key.
>    2. In the following windows, type *network.nego* in the *Filters*.
>    3. Double click *network.negotiate-auth.trusted-uris* and add
>    http://,https:// in the pop-up window, then click *OK* to close the
>    window.
>    4. Double click *network.negotiate-auth.delegation-ruis* and add
>    http://,https:// in the pop-up window, then click *OK* to close the
>    window.
>    5. Restart your Firefox to activate the configuration.
>
> Setting up the Geronimo server
>
>    1. Copy the Keroes keytab file krb5.keytab to one of directories of
>    your Geronimo Server. The file was created during Setting up the
>    Domain Controller Machine<https://cwiki.apache.org/confluence#UsingSPNEGOinGeronimo-SettinguptheDomainControllerMachine>
>    .
>    2. Create a basic Kerbeores configuration file named krb5.ini in order
>    to use the SPNEGO for the server. The files should be stored on local
>    server and with the following keys list defining the Kerberoes key
>    distribution center(KDC) name and the realm setting for the SPNEGO
>    authentication.
>    *krb5.ini*
>
>
>    [libdefaults]
>      default_realm = XYZ.COM
>      default_keytab_name = FILE:c:\winnt\krb5.keytab
>      default_tkt_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc
>      default_tgs_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc
>      forwardable=true
>    [realms]
>      XYZ.COM = {
>          kdc = domaincontroller.xyz.com:88
>          default_domain = xyz.com
>      }
>    [domain_realm]
>      xyz.com= XYZ.COM
>      .xyz.com = XYZ.COM
>
>     3. Configure JVM properties with the following key pairs to make sure
>    the JVM read the Kerberoes configurations successfully.
>
>    set JAVA_OPTS=-Djava.security.krb5.conf=C:\winnt\krb5.ini
>    -Dcom.ibm.security.jgss.debug=all -Dcom.ibm.security.krb5.Krb5Debug=all
>    -Djavax.security.auth.useSubjectCredsOnly=false
>     4. Create a system-scope realm for the Geronimo server as followed.
>    The sample code is a combination of SPNEGO and .properties file realms in
>    order that the authentication will fall back on .Properties realm once the
>    SPNEGO authentication fails. You can remove the .properties file realm if
>    unnecessary.
>    *spnego_properties_realm.xml*
>
>    <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
>        <environment>
>            <moduleId>
>                <groupId>console.realm</groupId>
>                <artifactId>SpnegoTest</artifactId>
>                <version>1.0</version>
>                <type>car</type>
>            </moduleId>
>            <dependencies>
>                <dependency>
>                    <groupId>org.apache.geronimo.framework</groupId>
>                    <artifactId>j2ee-security</artifactId>
>                    <type>car</type>
>                </dependency>
>            </dependencies>
>        </environment>
>
>        <!--
>          The ConfigEntry and KerberosLoginModule GBeans are not needed on IBM JVM.
>         -->
>
>        <gbean name="ConfigEntry" class="org.apache.geronimo.security.jaas.DirectConfigurationEntry"
>               xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"
>               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>            <attribute name="applicationConfigName">com.sun.security.jgss.accept</attribute>
>            <attribute name="controlFlag">REQUIRED</attribute>
>            <reference name="Module">
>                <name>KerberosLoginModule</name>
>            </reference>
>        </gbean>
>
>        <gbean name="KerberosLoginModule" class="org.apache.geronimo.security.jaas.LoginModuleGBean"
>               xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"
>               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>            <attribute name="loginModuleClass">org.apache.geronimo.security.realm.providers.KerberosLoginModule</attribute>
>            <attribute name="loginDomainName">unspecified</attribute>
>            <attribute name="options">
>              krb5LoginModuleClass=com.sun.security.auth.module.Krb5LoginModule
>              krb_debug=true
>              krb_useKeyTab=true
>              krb_storeKey=true
>              krb_doNotPrompt=true
>              krb_isInitiator=false
>              krb_keyTab=c:/winnt/krb5.keytab
>              krb_principal=HTTP/test.xyz.com@XYZ.COM
>            </attribute>
>        </gbean>
>
>        <gbean name="SpnegoTest" class="org.apache.geronimo.security.realm.GenericSecurityRealm"
>               xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"
>               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>            <attribute name="realmName">SpnegoTest</attribute>
>            <reference name="ServerInfo">
>                <name>ServerInfo</name>
>            </reference>
>            <xml-reference name="LoginModuleConfiguration">
>                <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>                    <log:login-module control-flag="SUFFICIENT" wrap-principals="false">
>                        <log:login-domain-name>SpnegoTest</log:login-domain-name>
>                        <log:login-module-class>org.apache.geronimo.security.realm.providers.SpnegoLoginModule</log:login-module-class>
>                        <log:option name="targetName">HTTP/test.xyz.com</log:option>
>                        <log:option name="ldapUrl">ldap://domaincontroller.xyz.com:389</log:option>
>                        <log:option name="ldapLoginName">testuser</log:option>
>                        <log:option name="ldapLoginPassword">testuser123</log:option>
>                        <log:option name="searchBase">DC=xyz,DC=com</log:option>
>                    </log:login-module>
>                    <log:login-module control-flag="SUFFICIENT" wrap-principals="false">
>                        <log:login-domain-name>demo-properties-realm</log:login-domain-name>
>                        <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
>                        <log:option name="usersURI">var/security/demo_users.properties</log:option>
>                        <log:option name="groupsURI">var/security/demo_groups.properties</log:option>
>                    </log:login-module>
>                </log:login-config>
>            </xml-reference>
>        </gbean></module>
>
>     5. Configure the deployment plan of your application to make sure the
>    SPNEGO realm is invoked properly. See the sample code below for reference.
>    *geronimo-web.xml*
>
>    <?xml version="1.0" encoding="UTF-8"?>
>    <web:web-app xmlns:app="http://geronimo.apache.org/xml/ns/j2ee/application-2.0"
   xmlns:client="http://geronimo.apache.org/xml/ns/j2ee/application-client-2.0"
>            xmlns:conn="http://geronimo.apache.org/xml/ns/j2ee/connector-1.2" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"
>            xmlns:ejb="http://openejb.apache.org/xml/ns/openejb-jar-2.2" xmlns:name="http://geronimo.apache.org/xml/ns/naming-1.2"
>            xmlns:pers="http://java.sun.com/xml/ns/persistence" xmlns:pkgen="http://openejb.apache.org/xml/ns/pkgen-2.1"
>            xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0" xmlns:web="http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1">
>        <dep:environment>
>            <dep:moduleId>
>                <dep:groupId>com.mycompany.samples</dep:groupId>
>                <dep:artifactId>security-demo</dep:artifactId>
>                <dep:version>2.2.1</dep:version>
>                <dep:type>war</dep:type>
>            </dep:moduleId>
>            <dep:dependencies/>
>            <dep:hidden-classes>
>                <dep:filter>
>    	        org.apache.geronimo.security.realm.providers.SpnegoLoginModule
>    	    </dep:filter>
>            </dep:hidden-classes>
>            <dep:non-overridable-classes/>
>        </dep:environment>
>        <web:context-root>/demo</web:context-root>
>        <web:security-realm-name>SpnegoTest</web:security-realm-name>
>        <sec:security>
>            <sec:role-mappings>
>                <sec:role role-name="content-administrator">
>                    <sec:principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
name="Domain Admins"/>
>    		<sec:principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
name="testuser@TEST.XYZ.COM"/>
>                </sec:role>
>                <sec:role role-name="Guest-administrator">
>               <sec:principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
name="Domain Admins"/>
>                 </sec:role>
>            </sec:role-mappings>
>        </sec:security></web:web-app>
>
>     6. Configure the deployment descriptor to make sure your application
>    uses SPNEGO authentication and the respective realm provider that Geronimo
>    server supports.
>    *excerpt of web.xml*
>
>    <?xml version="1.0" encoding="ISO-8859-1"?>
>    ...
>       <login-config>
>          <auth-method>SPNEGO</auth-method>
>          <realm-name>SpnegoTest</realm-name>
>          ...
>       </login-config>
>
>
> Few very important points to note
>
>    - Make sure that you use Basic as the authentication mechanism in your
>    web application if you want to configure Spnego with geronimo.
>    - The realm provided is a combination of 2 login modules which can be
>    easily created through geronimo administrative console.
>    - While you are creating a security realm for Spnego loginmodule you
>    need to just specify one option that will be of the form
>    "targetName=HTTP/<fully_qualified_host_name>". Have a look at the sample
>    realm. This will give you an idea of the option to be used.
>    - Make sure you choose sufficient as the control-flag while creating
>    the 2 login modules.
>    - Make sure you map only one user to SPN as defined in #2 of "Setting
>    up the Active Directory Domain Controller".
>
>   Change Notification Preferences<https://cwiki.apache.org/confluence/users/viewnotifications.action>
> View Online<https://cwiki.apache.org/confluence/display/GMOxDOC22/Using+SPNEGO+in+Geronimo>|
View
> Changes<https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=21791714&revisedVersion=7&originalVersion=6>|
Add
> Comment<https://cwiki.apache.org/confluence/display/GMOxDOC22/Using+SPNEGO+in+Geronimo?showComments=true&showCommentArea=true#addcomment>
>



-- 
Best Regards
Gary

Mime
View raw message