geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo v2.2 > Using SPNEGO in Geronimo
Date Tue, 01 Jun 2010 05:56:00 GMT
<html>
<head>
    <base href="http://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=GMOxDOC22&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="http://cwiki.apache.org/confluence/display/GMOxDOC22/Using+SPNEGO+in+Geronimo">Using
SPNEGO in Geronimo</a></h2>
    <h4>Page  <b>added</b> by             <a href="http://cwiki.apache.org/confluence/display/~chirunhua@gmail.com">Runhua
Chi</a>
    </h4>
         <br/>
    <div class="notificationGreySide">
         <style type='text/css'>/*<![CDATA[*/
table.ScrollbarTable  {border: none;padding: 3px;width: 100%;padding: 3px;margin: 0px;background-color:
#f0f0f0}
table.ScrollbarTable td.ScrollbarPrevIcon {text-align: center;width: 16px;border: none;}
table.ScrollbarTable td.ScrollbarPrevName {text-align: left;border: none;}
table.ScrollbarTable td.ScrollbarParent {text-align: center;border: none;}
table.ScrollbarTable td.ScrollbarNextName {text-align: right;border: none;}
table.ScrollbarTable td.ScrollbarNextIcon {text-align: center;width: 16px;border: none;}

/*]]>*/</style><div class="Scrollbar"><table class='ScrollbarTable'><tr><td
width='33%' class='ScrollbarPrevName'>&nbsp;</td><td width='33%' class='ScrollbarParent'><sup><a
href="/confluence/display/GMOxDOC22/Administering+Security"><img border='0' align='middle'
src='/confluence/images/icons/up_16.gif' width='8' height='8'></a></sup><a
href="/confluence/display/GMOxDOC22/Administering+Security">Administering Security</a></td><td
width='33%' class='ScrollbarNextName'>&nbsp;</td></tr></table></div>

<p>Using the <a href="ftp://ftp.isi.edu/in-notes/rfc2478.txt" title="SPNEGO" class="external-link"
rel="nofollow">Simple and Protected GSS-API Negotiation Mechanism(SPNEGO)</a> in
Geronimo allows HTTP users to log in and authenticate only once in their desktop, then they
can receive automatic authentication from the Geronimo server. Note that the feature is only
supported in Geronimo 2.2.1 or later versions.</p>

<div>
<ul>
    <li><a href='#UsingSPNEGOinGeronimo-Prerequisite'>Prerequisite</a></li>
    <li><a href='#UsingSPNEGOinGeronimo-Procedure'>Procedure</a></li>
<ul>
    <li><a href='#UsingSPNEGOinGeronimo-SettinguptheDomainControllerMachine'>Setting
up the Domain Controller Machine</a></li>
    <li><a href='#UsingSPNEGOinGeronimo-SettinguptheClientApplicationMachine'>Setting
up the Client Application Machine</a></li>
<ul>
    <li><a href='#UsingSPNEGOinGeronimo-EnableSPNEGOauthenticationinMicrosoftInternetExplorerbrowser'>Enable
SPNEGO authentication in Microsoft Internet Explorer browser</a></li>
    <li><a href='#UsingSPNEGOinGeronimo-EnableSPNEGOauthenticationinFirefox'>Enable
SPNEGO authentication in Firefox</a></li>
</ul>
    <li><a href='#UsingSPNEGOinGeronimo-SettinguptheGeronimoserver'>Setting up
the Geronimo server</a></li>
</ul>
    <li><a href='#UsingSPNEGOinGeronimo-Fewveryimportantpointstonote%3A'>Few very
important points to note:</a></li>
</ul></div>

<h1><a name="UsingSPNEGOinGeronimo-Prerequisite"></a>Prerequisite</h1>
<p>Using the SPNEGO requires three distinct machines:</p>
<ul>
	<li>A Microsoft Windows 2000 or Windows 2003 Server running the Active Directory Domain
Controller and associated Kerberos Key Distribution Center(KDC)</li>
	<li>A domain member with internet browsers for example, a Microsoft Internet Explorer
or Firefox browser</li>
	<li>A server Platform with Geronimo running</li>
</ul>


<p>Note that the clock on clients, Microsoft Active Directory Domain Controller and
Geronimo server must be synchronized to within five minutes, and they must be within the same
domain.</p>

<h1><a name="UsingSPNEGOinGeronimo-Procedure"></a>Procedure</h1>
<h2><a name="UsingSPNEGOinGeronimo-SettinguptheDomainControllerMachine"></a>Setting
up the Domain Controller Machine</h2>
<ol>
	<li>Create a user account in the active directory. Make sure that the user you create
is unique and not listed in Computers or domain controllers. This account will be eventually
mapped to the Kerberoes service principal name(SPN).</li>
	<li>Map the user account to the SPN with the command <b>setspn</b>. Typically,
A SPN looks like <em>HTTP/&lt;Fully_Qualified_Host_Name&gt;</em>. Make
sure that you do not have the same SPNs mapping to more than one Microsoft user account. If
you map the same SPN to more than one user account, the web browser client can send a <a
href="http://en.wikipedia.org/wiki/NTLM" title="NTLM" class="external-link" rel="nofollow">NT
LAN Manager(NTLM)</a> authentication request instead of SPNEGO token to Geronimo server.
See <a href="http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/b3a029a1-7ff0-4f6f-87d2-f2e70294a576.mspx"
title="setspn command" class="external-link" rel="nofollow">Windows 2003 Technical Reference
(setspn command)</a> for more usages of the command.
<div class="panel" style="border-width: 1px;"><div class="panelContent">
<p>setspn -A HTTP/test.xyz.com testuser.</p>
</div></div>
<p>Where </p>
	<ul>
		<li><em>testuser</em> is the user account created in step1</li>
		<li><em>HTTP/test.xyz.com</em> is the unique SPN mapped with <em>testuser</em>,
<em>test.xyz.com</em> is the host name of Geronimo server.</li>
	</ul>
	</li>
	<li>Create the Kereros keytab file(<tt>krb5.keytab</tt>) with the command
<b>ktpass</b> and make the file available to Geronimo server by copying it from
the Domain Controller to the Geronimo server. See <a href="http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/64042138-9a5a-4981-84e9-d576a8db0d05.mspx"
title="ktpass" class="external-link" rel="nofollow">Windows 2003 Technical Reference (ktpass
command)</a> for more usages of the command.
<div class="panel" style="border-width: 1px;"><div class="panelContent">
<p>ktpass -out c:\winnt\krb5.keytab -princ HTTP/test.xyz.com@XYZ.COM -mapUser testuser
-mapOp set -pass testuser123 -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL</p>
</div></div>
<p>where</p>
	<ul>
		<li><em>HTTP/test.xyz.com@XYZ.COM</em> is the concatenation of the user
logon name, and the realm name which must be in uppercase.</li>
		<li><em>testuser</em> is the user account for mapping.</li>
		<li><em>testuser123</em> is the password of the user <b>testuser</b>.</li>
	</ul>
	</li>
</ol>


<h2><a name="UsingSPNEGOinGeronimo-SettinguptheClientApplicationMachine"></a>Setting
up the Client Application Machine</h2>
<p>On client machines, the Web browsers are responsible for generating the SPNEGO token
for user by the Geronimo server. Perform the following configuration for your browsers. Note
that the resources on Geronimo server can only be accessible by the domain name of the Geronimo
server, and the client machines must be the members of Domain.</p>
<h3><a name="UsingSPNEGOinGeronimo-EnableSPNEGOauthenticationinMicrosoftInternetExplorerbrowser"></a>Enable
SPNEGO authentication in Microsoft Internet Explorer browser</h3>
<ol>
	<li>In the Internet Explorer windows, click <b>Tools&gt;Internet Options&gt;Security</b>
tab.</li>
	<li>Select the <b>Local Intranet</b> icon and click <b>Sites</b>.</li>
	<li>Make sure all check boxes are selected in the <b>Local Intranet</b>
windows, then click <b>Advanced</b> button.</li>
	<li>Add the URI name of the Geronimo server for example _<a href="http://test.xyz.com_"
class="external-link" rel="nofollow">http://test.xyz.com_</a> into the list Web sites
so that the Single Sign-On (SSO) can be enabled, then click <b>OK</b> to complete
this step and close the <b>Local intranet</b> window.</li>
	<li>On the <b>Internet Options</b> windows, click the <b>Advanced</b>
tab and go to <b>Security settings</b>. Make sure <b>Enable Integrated Windows
Authentication(requires restart)</b> check box is selected, then click <b>OK</b>
to close all windows.</li>
	<li>Restart your Microsoft Internet Explorer to activate the configuration.</li>
</ol>


<h3><a name="UsingSPNEGOinGeronimo-EnableSPNEGOauthenticationinFirefox"></a>Enable
SPNEGO authentication in Firefox</h3>
<ol>
	<li>In the URL address bar of your Firefox browser, type <b>about:config</b>
and press the Enter key.</li>
	<li>In the following windows, type <b>network.nego</b> in the <b>Filters</b>.</li>
	<li>Double click <b>network.negotiate-auth.trusted-uris</b> and add 
<div class="error"><span class="error">Unknown macro: {no-link}</span> <p><a
href="http://,https://" class="external-link" rel="nofollow">http://,https://</a></p></div>
<p> in the pop-up window, then click <b>OK</b> to close the window.</p></li>
	<li>Double click <b>network.negotiate-auth.delegation-ruis</b> and add

<div class="error"><span class="error">Unknown macro: {no-link}</span> <p><a
href="http://,https://" class="external-link" rel="nofollow">http://,https://</a></p></div>
<p> in the pop-up window, then click <b>OK</b> to close the window.</p></li>
	<li>Restart your Firefox to activate the configuration.</li>
</ol>


<h2><a name="UsingSPNEGOinGeronimo-SettinguptheGeronimoserver"></a>Setting
up the Geronimo server</h2>
<ol>
	<li>Copy the Keroes keytab file <tt>krb5.keytab</tt> to one of directories
of your Geronimo Server. The file was created during <a href="#UsingSPNEGOinGeronimo-SettinguptheDomainControllerMachine">Setting
up the Domain Controller Machine</a>.</li>
	<li>Create a basic Kerbeores configuration file named <tt>krb5.ini</tt>
in order to use the SPNEGO for the server. The files should be stored on local server and
with the following keys list defining the Kerberoes key distribution center(KDC) name and
the realm setting for the SPNEGO authentication.
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader"
style="border-bottom-width: 1px;"><b>krb5.ini</b></div><div class="codeContent
panelContent">
<pre class="code-java"> 
[libdefaults]
  default_realm = XYZ.COM
     default_keytab_name = FILE:c:\winnt\krb5.keytab
     default_tkt_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc
     default_tgs_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc
     forwardable=<span class="code-keyword">true</span> 
[realms]
  XYZ.COM = {
        kdc = domaincontroller.xyz.com:88
        default_domain = xyz.com   
        }
[domain_realm]
  xyz.com= XYZ.COM
  .xyz.com = XYZ.COM
</pre>
</div></div></li>
	<li>Configure JVM properties with the following key pairs to make sure the JVM read
the Kerberoes configurations successfully.
<div class="panel" style="border-width: 1px;"><div class="panelContent">
<p>set JAVA_OPTS=-Djava.security.krb5.conf=C:\winnt\krb5.ini -Dcom.ibm.security.jgss.debug=all
-Dcom.ibm.security.krb5.Krb5Debug=all -Djavax.security.auth.useSubjectCredsOnly=false</p>
</div></div></li>
	<li>Create a system-scope realm for the Geronimo server as followed. The sample code
is a combination of SPNEGO and .properties file realms in order that the authentication will
fall back on .Properties realm once the SPNEGO authentication fails. You can remove the .properties
file realm if unnecessary.
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader"
style="border-bottom-width: 1px;"><b>spnego_properties_realm.xml</b></div><div
class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;module xmlns=<span class="code-quote">"http://geronimo.apache.org/xml/ns/deployment-1.2"</span>&gt;</span>
    <span class="code-tag">&lt;environment&gt;</span>
        <span class="code-tag">&lt;moduleId&gt;</span>
            <span class="code-tag">&lt;groupId&gt;</span>console.realm<span
class="code-tag">&lt;/groupId&gt;</span>
            <span class="code-tag">&lt;artifactId&gt;</span>SpnegoTest<span
class="code-tag">&lt;/artifactId&gt;</span>
            <span class="code-tag">&lt;version&gt;</span>1.0<span class="code-tag">&lt;/version&gt;</span>
            <span class="code-tag">&lt;type&gt;</span>car<span class="code-tag">&lt;/type&gt;</span>
        <span class="code-tag">&lt;/moduleId&gt;</span>
        <span class="code-tag">&lt;dependencies&gt;</span>
            <span class="code-tag">&lt;dependency&gt;</span>
                <span class="code-tag">&lt;groupId&gt;</span>org.apache.geronimo.framework<span
class="code-tag">&lt;/groupId&gt;</span>
                <span class="code-tag">&lt;artifactId&gt;</span>j2ee-security<span
class="code-tag">&lt;/artifactId&gt;</span>
                <span class="code-tag">&lt;type&gt;</span>car<span
class="code-tag">&lt;/type&gt;</span>
            <span class="code-tag">&lt;/dependency&gt;</span>
        <span class="code-tag">&lt;/dependencies&gt;</span>
    <span class="code-tag">&lt;/environment&gt;</span>
    &lt;gbean name=<span class="code-quote">"SpnegoTest"</span> class=<span
class="code-quote">"org.apache.geronimo.security.realm.GenericSecurityRealm"</span>
xsi:type=<span class="code-quote">"dep:gbeanType"</span> 
                 <span class="code-keyword">xmlns:dep</span>=<span class="code-quote">"http://geronimo.apache.org/xml/ns/deployment-1.2"</span>
<span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>&gt;
        <span class="code-tag">&lt;attribute name=<span class="code-quote">"realmName"</span>&gt;</span>SpnegoTest<span
class="code-tag">&lt;/attribute&gt;</span>
        <span class="code-tag">&lt;reference name=<span class="code-quote">"ServerInfo"</span>&gt;</span>
            <span class="code-tag">&lt;name&gt;</span>ServerInfo<span
class="code-tag">&lt;/name&gt;</span>
        <span class="code-tag">&lt;/reference&gt;</span>
        <span class="code-tag">&lt;xml-reference name=<span class="code-quote">"LoginModuleConfiguration"</span>&gt;</span>
            <span class="code-tag">&lt;log:login-config <span class="code-keyword">xmlns:log</span>=<span
class="code-quote">"http://geronimo.apache.org/xml/ns/loginconfig-2.0"</span>&gt;</span>
                <span class="code-tag">&lt;log:login-module control-flag=<span
class="code-quote">"SUFFICIENT"</span> wrap-principals=<span class="code-quote">"false"</span>&gt;</span>
                    <span class="code-tag">&lt;log:login-domain-name&gt;</span>SpnegoTest<span
class="code-tag">&lt;/log:login-domain-name&gt;</span>
                    <span class="code-tag">&lt;log:login-module-class&gt;</span>org.apache.geronimo.security.realm.providers.SpnegoLoginModule<span
class="code-tag">&lt;/log:login-module-class&gt;</span>
                    <span class="code-tag">&lt;log:option name=<span class="code-quote">"targetName"</span>&gt;</span>http/test.xyz.com<span
class="code-tag">&lt;/log:option&gt;</span>
					<span class="code-tag">&lt;log:option name=<span class="code-quote">"ldapUrl"</span>&gt;</span>ldap://domaincontroller.xyz.com:389<span
class="code-tag">&lt;/log:option&gt;</span>
					<span class="code-tag">&lt;log:option name=<span class="code-quote">"ldapLoginName"</span>&gt;</span>testuser<span
class="code-tag">&lt;/log:option&gt;</span>
					<span class="code-tag">&lt;log:option name=<span class="code-quote">"ldapLoginPassword"</span>&gt;</span>testuser123<span
class="code-tag">&lt;/log:option&gt;</span>
					<span class="code-tag">&lt;log:option name=<span class="code-quote">"searchBase"</span>&gt;</span>DC=xyz,DC=com<span
class="code-tag">&lt;/log:option&gt;</span>
                <span class="code-tag">&lt;/log:login-module&gt;</span>
                <span class="code-tag">&lt;log:login-module control-flag=<span
class="code-quote">"SUFFICIENT"</span> wrap-principals=<span class="code-quote">"false"</span>&gt;</span>
                    <span class="code-tag">&lt;log:login-domain-name&gt;</span>demo-properties-realm<span
class="code-tag">&lt;/log:login-domain-name&gt;</span>
                    <span class="code-tag">&lt;log:login-module-class&gt;</span>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule<span
class="code-tag">&lt;/log:login-module-class&gt;</span>
                    <span class="code-tag">&lt;log:option name=<span class="code-quote">"usersURI"</span>&gt;</span>var/security/demo_users.properties<span
class="code-tag">&lt;/log:option&gt;</span>
                    <span class="code-tag">&lt;log:option name=<span class="code-quote">"groupsURI"</span>&gt;</span>var/security/demo_groups.properties<span
class="code-tag">&lt;/log:option&gt;</span>
                <span class="code-tag">&lt;/log:login-module&gt;</span>
            <span class="code-tag">&lt;/log:login-config&gt;</span>
        <span class="code-tag">&lt;/xml-reference&gt;</span>
    <span class="code-tag">&lt;/gbean&gt;</span>
<span class="code-tag">&lt;/module&gt;</span>
</pre>
</div></div></li>
	<li>Configure the deployment plan of your application to make sure the SPNEGO realm
is invoked properly. See the sample code below for reference.
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader"
style="border-bottom-width: 1px;"><b>geronimo-web.xml</b></div><div
class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;?xml version=<span class="code-quote">"1.0"</span>
encoding=<span class="code-quote">"UTF-8"</span>?&gt;</span>
&lt;web:web-app <span class="code-keyword">xmlns:app</span>=<span class="code-quote">"http://geronimo.apache.org/xml/ns/j2ee/application-2.0"</span>
   <span class="code-keyword">xmlns:client</span>=<span class="code-quote">"http://geronimo.apache.org/xml/ns/j2ee/application-client-2.0"</span>

        <span class="code-keyword">xmlns:conn</span>=<span class="code-quote">"http://geronimo.apache.org/xml/ns/j2ee/connector-1.2"</span>
<span class="code-keyword">xmlns:dep</span>=<span class="code-quote">"http://geronimo.apache.org/xml/ns/deployment-1.2"</span>

        <span class="code-keyword">xmlns:ejb</span>=<span class="code-quote">"http://openejb.apache.org/xml/ns/openejb-jar-2.2"</span>
<span class="code-keyword">xmlns:name</span>=<span class="code-quote">"http://geronimo.apache.org/xml/ns/naming-1.2"</span>

        <span class="code-keyword">xmlns:pers</span>=<span class="code-quote">"http://java.sun.com/xml/ns/persistence"</span>
<span class="code-keyword">xmlns:pkgen</span>=<span class="code-quote">"http://openejb.apache.org/xml/ns/pkgen-2.1"</span>

        <span class="code-keyword">xmlns:sec</span>=<span class="code-quote">"http://geronimo.apache.org/xml/ns/security-2.0"</span>
<span class="code-keyword">xmlns:web</span>=<span class="code-quote">"http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1"</span>&gt;
    <span class="code-tag">&lt;dep:environment&gt;</span>
        <span class="code-tag">&lt;dep:moduleId&gt;</span>
            <span class="code-tag">&lt;dep:groupId&gt;</span>com.ibm.wasce.samples<span
class="code-tag">&lt;/dep:groupId&gt;</span>
            <span class="code-tag">&lt;dep:artifactId&gt;</span>security-demo<span
class="code-tag">&lt;/dep:artifactId&gt;</span>
            <span class="code-tag">&lt;dep:version&gt;</span>2.1.1.4<span
class="code-tag">&lt;/dep:version&gt;</span>
            <span class="code-tag">&lt;dep:type&gt;</span>war<span
class="code-tag">&lt;/dep:type&gt;</span>
        <span class="code-tag">&lt;/dep:moduleId&gt;</span>
        <span class="code-tag">&lt;dep:dependencies/&gt;</span>
        <span class="code-tag">&lt;dep:hidden-classes&gt;</span>
            <span class="code-tag">&lt;dep:filter&gt;</span>
	        org.apache.geronimo.security.realm.providers.SpnegoLoginModule
	    <span class="code-tag">&lt;/dep:filter&gt;</span>
        <span class="code-tag">&lt;/dep:hidden-classes&gt;</span>
        <span class="code-tag">&lt;dep:non-overridable-classes/&gt;</span>
    <span class="code-tag">&lt;/dep:environment&gt;</span>
    <span class="code-tag">&lt;web:context-root&gt;</span>/demo<span
class="code-tag">&lt;/web:context-root&gt;</span>
    <span class="code-tag">&lt;web:security-realm-name&gt;</span>SpnegoTest<span
class="code-tag">&lt;/web:security-realm-name&gt;</span>
    <span class="code-tag">&lt;sec:security&gt;</span>
        <span class="code-tag">&lt;sec:role-mappings&gt;</span>
            <span class="code-tag">&lt;sec:role role-name=<span class="code-quote">"content-administrator"</span>&gt;</span>
                <span class="code-tag">&lt;sec:principal class=<span class="code-quote">"org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"</span>
name=<span class="code-quote">"Domain Admins"</span>/&gt;</span>
		<span class="code-tag">&lt;sec:principal class=<span class="code-quote">"org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"</span>
name=<span class="code-quote">"testuser@TEST.XYZ.COM"</span>/&gt;</span>
            <span class="code-tag">&lt;/sec:role&gt;</span>
            <span class="code-tag">&lt;sec:role role-name=<span class="code-quote">"Guest-administrator"</span>&gt;</span>
           <span class="code-tag">&lt;sec:principal class=<span class="code-quote">"org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"</span>
name=<span class="code-quote">"Domain Admins"</span>/&gt;</span>
             <span class="code-tag">&lt;/sec:role&gt;</span>
        <span class="code-tag">&lt;/sec:role-mappings&gt;</span>
    <span class="code-tag">&lt;/sec:security&gt;</span>
<span class="code-tag">&lt;/web:web-app&gt;</span>
</pre>
</div></div></li>
	<li>Configure the deployment descriptor to make sure your application uses SPNEGO authentication
and the respective realm provider that Geronimo server supports.
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader"
style="border-bottom-width: 1px;"><b>excerpt of web.xml</b></div><div
class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;?xml version=<span class="code-quote">"1.0"</span>
encoding=<span class="code-quote">"ISO-8859-1"</span>?&gt;</span>
...
   <span class="code-tag">&lt;login-config&gt;</span>
      <span class="code-tag">&lt;auth-method&gt;</span>SPNEGO<span
class="code-tag">&lt;/auth-method&gt;</span>
      <span class="code-tag">&lt;realm-name&gt;</span>SpnegoTest<span
class="code-tag">&lt;/realm-name&gt;</span>
      ...
   <span class="code-tag">&lt;/login-config&gt;</span>
</pre>
</div></div></li>
</ol>


<h1><a name="UsingSPNEGOinGeronimo-Fewveryimportantpointstonote%3A"></a>Few
very important points to note:</h1>

<ul>
	<li>Make sure that you use Basic as the authentication mechanism in your web application
if you want to configure Spnego with geronimo.</li>
	<li>The realm provided is a combination of 2 login modules which can be easily created
through geronimo administrative console.</li>
	<li>While you are creating a security realm for Spnego loginmodule you need to just
specify one option that will be of the form "targetName=http/&lt;fully_qualified_host_name&gt;".
Have a look at the sample realm. This will give you an idea of the option to be used.</li>
	<li>Make sure you choose sufficient as the control-flag while creating the 2 login
modules.</li>
	<li>Make sure you map only one user to SPN as defined in #2 of  "Setting up the Active
Directory Domain Controller".</li>
</ul>

    </div>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="http://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>
       <a href="http://cwiki.apache.org/confluence/display/GMOxDOC22/Using+SPNEGO+in+Geronimo">View
Online</a>
              |
       <a href="http://cwiki.apache.org/confluence/display/GMOxDOC22/Using+SPNEGO+in+Geronimo?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
           </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message