geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo v2.1 > Using Spengo in geronimo
Date Thu, 18 Mar 2010 10:46:00 GMT
<html>
<head>
    <base href="http://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1519/1/1/_/styles/combined.css?spaceKey=GMOxDOC21&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background-color: white" bgcolor="white">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
     <h2><a href="http://cwiki.apache.org/confluence/display/GMOxDOC21/Using+Spengo+in+geronimo">Using
Spengo in geronimo</a></h2>
     <h4>Page <b>edited</b> by             <a href="http://cwiki.apache.org/confluence/display/~ashjain2@gmail.com">Ashish
Jain</a>
    </h4>
     
          <br/>
     <div class="notificationGreySide">
         <style type='text/css'>/*<![CDATA[*/
table.ScrollbarTable  {border: none;padding: 3px;width: 100%;padding: 3px;margin: 0px;background-color:
#f0f0f0}
table.ScrollbarTable td.ScrollbarPrevIcon {text-align: center;width: 16px;border: none;}
table.ScrollbarTable td.ScrollbarPrevName {text-align: left;border: none;}
table.ScrollbarTable td.ScrollbarParent {text-align: center;border: none;}
table.ScrollbarTable td.ScrollbarNextName {text-align: right;border: none;}
table.ScrollbarTable td.ScrollbarNextIcon {text-align: center;width: 16px;border: none;}

/*]]>*/</style><div class="Scrollbar"><table class='ScrollbarTable'><tr><td
class='ScrollbarPrevIcon'><a href="/confluence/display/GMOxDOC21/LDAP+Realm"><img
border='0' align='middle' src='/confluence/images/icons/back_16.gif' width='16' height='16'></a></td><td
width='33%' class='ScrollbarPrevName'><a href="/confluence/display/GMOxDOC21/LDAP+Realm">LDAP
Realm</a>&nbsp;</td><td width='33%' class='ScrollbarParent'><sup><a
href="/confluence/display/GMOxDOC21/Configuring+security"><img border='0' align='middle'
src='/confluence/images/icons/up_16.gif' width='8' height='8'></a></sup><a
href="/confluence/display/GMOxDOC21/Configuring+security">Configuring security</a></td><td
width='33%' class='ScrollbarNextName'>&nbsp;</td></tr></table></div>

<p>Spnego with geronimo requires 3 machines namely a Client machine, a server machine
and a  Microsoft active directory domain controller. Client and server machine should be part
of the active directory domain.</p>

<div>
<ul>
    <li><a href='#UsingSpengoingeronimo-SettinguptheActiveDirectoryDomainController'>Setting
up the Active Directory Domain Controller</a></li>
    <li><a href='#UsingSpengoingeronimo-Settinguptheclientmachine'>Setting up
the client machine</a></li>
    <li><a href='#UsingSpengoingeronimo-Settingupyourgeronoimoservermachine'>Setting
up your geronoimo server machine</a></li>
    <li><a href='#UsingSpengoingeronimo-Fewveryimportantpointstonote%3A'>Few very
important points to note:</a></li>
</ul></div>
<h1><a name="UsingSpengoingeronimo-SettinguptheActiveDirectoryDomainController"></a>Setting
up the Active Directory Domain Controller</h1>
<ul>
	<li>Create a user in the active directory. Make sure that user you create is unique
and not listed in Computers or domain controllers. In our case we have created a user called
testuser with the password testuser123.</li>
	<li>Map the service principal name to the user account you created in the previous
step. A service principal name(SPN) is HTTP/&lt;Fully_Qualified_Host_Name&gt;.  In
our case SPN is HTTP/test.xyz.com. You can run the following command to map the SPN to user
account.<br/>
C:\Program Files\Support Tools&gt;setspn -A HTTP/test.xyz.com testuser.</li>
	<li>Next step is to create a keytab file. Run the following command<br/>
C:\Program Files\Support Tools&gt;ktpass -out c:\winnt\krb5.keytab -princ HTTP/test.xyz.com@XYZ.COM
-mapUser testuser-mapOp set -pass testuser123 -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL</li>
</ul>


<p>With this step we are done with setting up the Active Directory domain controller
machine.</p>

<h1><a name="UsingSpengoingeronimo-Settinguptheclientmachine"></a>Setting
up the client machine</h1>

<p>On the client machine we need to configure the browser for spnego. Internet Explorer
can be configured as follows:</p>

<ul>
	<li>Go to Tools-&gt;Internet Options-&gt; Security-&gt; Local Intranet-&gt;Sites.
Check all the 3 boxes.</li>
	<li>Go to Tools-&gt;Internet Options-&gt; Security-&gt; Local Intranet-&gt;Sites-&gt;
Advanced. Add the name of the server host machine. In our case we have added it as follows
<a href="http://test.xyz.com" rel="nofollow">http://test.xyz.com</a>. Select Ok.</li>
	<li>Go to Tools-&gt;Internet Options-&gt; Security-&gt; Local Intranet.
Select Custom Level. Browse down to the bottom to see if Logon is set as "Automatic Logon
in Intranet zone".</li>
	<li>Tools-&gt;Internet Options-&gt;Advanced. Check that "Enable Integrated
Windows Authentication(requires restart) is selected.</li>
</ul>


<p>Mozilla Firefox can be configured as follows:</p>

<ul>
	<li>In the url address bar type about:config and press enter.</li>
	<li>In the filter enter network.nego. This lists 5 properties. Modify<br/>
network.negotiate-auth.delegation-uris and add <a href="http://,https://" rel="nofollow">http://,https://</a><br/>
network.negotiate-auth.trusted-uris and add <a href="http://,https://" rel="nofollow">http://,https://</a></li>
	<li>Once done restart the browser.</li>
</ul>


<p>This sets up your client machine make sure you login to the client machine within
the active directory domain.</p>

<h1><a name="UsingSpengoingeronimo-Settingupyourgeronoimoservermachine"></a>Setting
up your geronoimo server machine</h1>
<ul>
	<li>Make sure you login to this machine within the active directory domain.</li>
	<li>Install geronimo on the server machine.</li>
	<li>Copy the krb5.keytab created in #3 of "Setting up the Active Directory Domain Controller"
to C:/winnt of server machine.</li>
	<li>Copy the krb5.ini file to C:/winnt of server machine. A sample krb5.ini for your
reference
<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>krb5.ini</b></div><div
class="codeContent panelContent">
<pre class="code-java">[libdefaults]
default_realm = XYZ.COM
default_keytab_name = FILE:c:\winnt\krb5.keytab
default_tkt_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc
default_tgs_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc
forwardable=<span class="code-keyword">true</span>


[realms]
XYZ.COM = {
 		kdc = ram1.xyz.com:88
}

[domain_realm]
xyz.com= XYZ.COM
.xyz.com = XYZ.COM
</pre>
</div></div></li>
</ul>


<ul>
	<li>Set up the following parameters before starting the server.<br/>
set JAVA_OPTS=-Djava.security.krb5.conf=C:\winnt\krb5.ini -Dcom.ibm.security.jgss.debug=all
-Dcom.ibm.security.krb5.Krb5Debug=all  -Djavax.security.auth.useSubjectCredsOnly=false -Dorg.apache.tomcat.config.NEGOTIATE=true<br/>
Make sure you set the "org.apache.tomcat.config.NEGOTIATE=true" otherwise you will not be
able to use spnego.</li>
	<li>Start the server with "geronimo.bat run" command.</li>
	<li>Create a realm for spnego. You can create a realm for fallback once spnego fails.
For reference here is a sample spnego realm. This<br/>
realm is a combination of spnego and properties realm. In case your spnego authentication
fails the authentication will fallback on <br/>
properties realm.
<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>spnego_properties_realm.xml</b></div><div
class="codeContent panelContent">
<pre class="code-java">&lt;module xmlns=<span class="code-quote">"http:<span
class="code-comment">//geronimo.apache.org/xml/ns/deployment-1.2"</span>&gt;
</span>    &lt;environment&gt;
        &lt;moduleId&gt;
            &lt;groupId&gt;console.realm&lt;/groupId&gt;
            &lt;artifactId&gt;SpnegoTest&lt;/artifactId&gt;
            &lt;version&gt;1.0&lt;/version&gt;
            &lt;type&gt;car&lt;/type&gt;
        &lt;/moduleId&gt;
        &lt;dependencies&gt;
            &lt;dependency&gt;
                &lt;groupId&gt;org.apache.geronimo.framework&lt;/groupId&gt;
                &lt;artifactId&gt;j2ee-security&lt;/artifactId&gt;
                &lt;type&gt;car&lt;/type&gt;
            &lt;/dependency&gt;
        &lt;/dependencies&gt;
    &lt;/environment&gt;
    &lt;gbean name=<span class="code-quote">"SpnegoTest"</span> class=<span
class="code-quote">"org.apache.geronimo.security.realm.GenericSecurityRealm"</span>
xsi:type=<span class="code-quote">"dep:gbeanType"</span> xmlns:dep=<span class="code-quote">"http:<span
class="code-comment">//geronimo.apache.org/xml/ns/deployment-1.2"</span> xmlns:xsi=<span
class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>&gt;
</span>        &lt;attribute name=<span class="code-quote">"realmName"</span>&gt;SpnegoTest&lt;/attribute&gt;
        &lt;reference name=<span class="code-quote">"ServerInfo"</span>&gt;
            &lt;name&gt;ServerInfo&lt;/name&gt;
        &lt;/reference&gt;
        &lt;xml-reference name=<span class="code-quote">"LoginModuleConfiguration"</span>&gt;
            &lt;log:login-config xmlns:log=<span class="code-quote">"http:<span
class="code-comment">//geronimo.apache.org/xml/ns/loginconfig-2.0"</span>&gt;
</span>                &lt;log:login-module control-flag=<span class="code-quote">"SUFFICIENT"</span>
wrap-principals=<span class="code-quote">"<span class="code-keyword">false</span>"</span>&gt;
                    &lt;log:login-domain-name&gt;SpnegoTest&lt;/log:login-domain-name&gt;
                    &lt;log:login-module-class&gt;org.apache.geronimo.security.realm.providers.SpnegoLoginModule&lt;/log:login-module-class&gt;
                    &lt;log:option name=<span class="code-quote">"targetName"</span>&gt;http/test.xyz.com&lt;/log:option&gt;
                    &lt;log:option name=<span class="code-quote">"ldapUrl"</span>&gt;ldap:<span
class="code-comment">//ram1.xyz.com:389&lt;/log:option&gt;
</span>		    &lt;log:option name=<span class="code-quote">"ldapLoginName"</span>&gt;ashish&lt;/log:option&gt;
		    &lt;log:option name=<span class="code-quote">"ldapLoginPassword"</span>&gt;ashish123&lt;/log:option&gt;
	            &lt;log:option name=<span class="code-quote">"searchBase"</span>&gt;DC=xyz,DC=COM&lt;/log:option&gt;
                    &lt;log:option name=<span class="code-quote">"ldapUrl"</span>&gt;ldap:<span
class="code-comment">//ram1.xyz.com:389&lt;/log:option&gt;
</span>		    &lt;log:option name=<span class="code-quote">"ldapLoginName"</span>&gt;ashish&lt;/log:option&gt;
		    &lt;log:option name=<span class="code-quote">"ldapLoginPassword"</span>&gt;ashish123&lt;/log:option&gt;
	            &lt;log:option name=<span class="code-quote">"searchBase"</span>&gt;DC=xyz,DC=COM&lt;/log:option&gt;
                &lt;/log:login-module&gt;
                &lt;log:login-module control-flag=<span class="code-quote">"SUFFICIENT"</span>
wrap-principals=<span class="code-quote">"<span class="code-keyword">false</span>"</span>&gt;
                    &lt;log:login-domain-name&gt;demo-properties-realm&lt;/log:login-domain-name&gt;
                    &lt;log:login-module-class&gt;org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule&lt;/log:login-module-class&gt;
                    &lt;log:option name=<span class="code-quote">"usersURI"</span>&gt;<span
class="code-keyword">var</span>/security/demo_users.properties&lt;/log:option&gt;
                    &lt;log:option name=<span class="code-quote">"groupsURI"</span>&gt;<span
class="code-keyword">var</span>/security/demo_groups.properties&lt;/log:option&gt;
                &lt;/log:login-module&gt;
            &lt;/log:login-config&gt;
        &lt;/xml-reference&gt;
    &lt;/gbean&gt;
&lt;/module&gt;
</pre>
</div></div></li>
</ul>


<ul>
	<li>Develop an application and make sure you use BASIC as the authentication mechanism
in your web.xml.</li>
	<li>Access the protected resource of the application from the Client Machine. You should
be able to access the resource without any prompt for username and password.</li>
	<li>Now access the protected resource from a machine which is not part of active directory
domain. In this case spnego login will fail and it will fallback on the properties file login.
Input the credentials and you will be able to access the resources.</li>
</ul>


<h1><a name="UsingSpengoingeronimo-Fewveryimportantpointstonote%3A"></a>Few
very important points to note:</h1>

<ul>
	<li>Make sure that you use Basic as the authentication mechanism in your web application
if you want to configure Spnego with geronimo.</li>
	<li>The realm provided is a combination of 2 login modules which can be easily created
through geronimo administrative console.</li>
	<li>While you are creating a security realm for Spnego loginmodule you need to just
specify one option that will be of the form "targetName=http/&lt;fully_qualified_host_name&gt;".
Have a look at the sample realm. This will give you an idea of the option to be used.</li>
	<li>Make sure you choose sufficient as the control-flag while creating the 2 login
modules.</li>
	<li>Make sure you map only one user to SPN as defined in #2 of  "Setting up the Active
Directory Domain Controller".</li>
</ul>

     </div>
     <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="http://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>

       <a href="http://cwiki.apache.org/confluence/display/GMOxDOC21/Using+Spengo+in+geronimo">View
Online</a>
       |
       <a href="http://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=13271290&revisedVersion=8&originalVersion=7">View
Change</a>
              |
       <a href="http://cwiki.apache.org/confluence/display/GMOxDOC21/Using+Spengo+in+geronimo?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message