geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Williams, Alex" <alex.willi...@Linklaters.com>
Subject Kereberos Security Realm
Date Thu, 30 Mar 2006 14:32:00 GMT
Hi,

Has anyone successfully implemented a Kerberos Security Realm? I'm using
Geronimo 1.0, JDK 1.4.2 on Windows XP and would like to achieve single
sign on against the Windows KDC.

I have managed to get a standalone java example to work, but I'm a bit
lost when it comes to configuring a Security Realm in Geronimo. Do I
have to do any configuration outside of Geronimo - e.g. properties files
within the JVM installation?

Any tips or samples would be very gratefully received.

See below for what I've tried so far.

Thanks,
Alex



I've created a Security Realm in the Geronimo Console with the following
plan:

<configuration configId="SecurityRealm-my-kerberos-realm"
xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0">
    <gbean name="my-kerberos-realm"
class="org.apache.geronimo.security.realm.GenericSecurityRealm">
        <attribute name="realmName">my-kerberos-realm</attribute>
        <reference name="ServerInfo">
 
<gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2e
e-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbe
an-name>
        </reference>
        <reference name="LoginService">
 
<gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2e
e-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=Ja
asLoginService</gbean-name>
        </reference>
        <xml-reference name="LoginModuleConfiguration">
            <log:login-config
xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.0">
                <log:login-module control-flag="REQUIRED"
server-side="true" wrap-principals="false">
 
<log:login-domain-name>my-kerberos-realm</log:login-domain-name>
 
<log:login-module-class>com.sun.security.auth.module.Krb5LoginModule</lo
g:login-module-class>
                    <log:option name="debug">true</log:option>
                    <log:option name="doNotPrompt">true</log:option>
                    <log:option name="useTicketCache">true</log:option>
                </log:login-module>
            </log:login-config>
        </xml-reference>
    </gbean>
</configuration>


I added the following to the web.xml for my app:
   <security-constraint>
        <web-resource-collection>
            <web-resource-name>Protected</web-resource-name>
            <url-pattern>/protected/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>This is not used for FORM login</realm-name>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/loginerror.jsp</form-error-page>
      </form-login-config>
    </login-config>
    <security-role>
        <role-name>admin</role-name>
    </security-role>


And I added the following to geronimo-web.xml:

  <security-realm-name>my-kerberos-realm</security-realm-name>
   <security>
        <default-principal>
            <principal name="anonymous"
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipa
l"
            />
        </default-principal>
        <role-mappings>
            <role role-name="admin">
                <principal name="administrators"
designated-run-as="true"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincip
al"
                />
                <principal name="awilliams"
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipa
l"
                />
            </role>
        </role-mappings>
    </security>


I have created /protected/index.htm, but I have NOT implemented
/login.jsp or /loginerror.jsp. I am logged into the windows domain as
"awilliams", so I expect SSO to work. It appears not to, since I get a
404 error saying that
/login.jsp does not exist.

I'd obviously like to get the SSO working through the Windows KDC. I
presume though that I need the login screens to fallback on. Down the
road, do I need an extra login module to authenticate against
ActiveDirectory if the SSO fails?

_______________________________________________
This message is confidential. It may also be privileged or otherwise protected by work product
immunity or other legal rules. If you have received it by mistake please let us know by reply
and then delete it from your system; you should not copy it or disclose its contents to anyone.
All messages sent to and from Linklaters may be monitored to ensure compliance with internal
policies and to protect our business. Emails are not secure and cannot be guaranteed to be
error free as they can be intercepted, amended, lost or destroyed, or contain viruses. Anyone
who communicates with us by email is taken to accept these risks.

The contents of any email addressed to our clients are subject to our usual terms of business;
anything which does not relate to the official business of the firm is neither given nor endorsed
by it.

The registered address of the UK partnership of Linklaters is One Silk Street, London, EC2Y
8HQ. Please refer to http://www.linklaters.com/regulation for important information on the
regulatory position of the firm.


Mime
View raw message