geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Mulder" <ammul...@alumni.princeton.edu>
Subject Re: Kereberos Security Realm
Date Thu, 30 Mar 2006 18:42:45 GMT
But I should also add that for a web app, if you run Geronimo through
Apache HTTP or IIS then you can use SPNEGO to achieve single sign-on
without configuring a Geronimo security realm.  I also lack specifics
for how to configure that.  :)

Thanks,
    Aaron

On 3/30/06, Williams, Alex <alex.williams@linklaters.com> wrote:
> Hi,
>
> Has anyone successfully implemented a Kerberos Security Realm? I'm using
> Geronimo 1.0, JDK 1.4.2 on Windows XP and would like to achieve single
> sign on against the Windows KDC.
>
> I have managed to get a standalone java example to work, but I'm a bit
> lost when it comes to configuring a Security Realm in Geronimo. Do I
> have to do any configuration outside of Geronimo - e.g. properties files
> within the JVM installation?
>
> Any tips or samples would be very gratefully received.
>
> See below for what I've tried so far.
>
> Thanks,
> Alex
>
>
>
> I've created a Security Realm in the Geronimo Console with the following
> plan:
>
> <configuration configId="SecurityRealm-my-kerberos-realm"
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0">
>     <gbean name="my-kerberos-realm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>         <attribute name="realmName">my-kerberos-realm</attribute>
>         <reference name="ServerInfo">
>
> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2e
> e-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbe
> an-name>
>         </reference>
>         <reference name="LoginService">
>
> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2e
> e-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=Ja
> asLoginService</gbean-name>
>         </reference>
>         <xml-reference name="LoginModuleConfiguration">
>             <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.0">
>                 <log:login-module control-flag="REQUIRED"
> server-side="true" wrap-principals="false">
>
> <log:login-domain-name>my-kerberos-realm</log:login-domain-name>
>
> <log:login-module-class>com.sun.security.auth.module.Krb5LoginModule</lo
> g:login-module-class>
>                     <log:option name="debug">true</log:option>
>                     <log:option name="doNotPrompt">true</log:option>
>                     <log:option name="useTicketCache">true</log:option>
>                 </log:login-module>
>             </log:login-config>
>         </xml-reference>
>     </gbean>
> </configuration>
>
>
> I added the following to the web.xml for my app:
>    <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>Protected</web-resource-name>
>             <url-pattern>/protected/*</url-pattern>
>             <http-method>GET</http-method>
>             <http-method>POST</http-method>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>admin</role-name>
>         </auth-constraint>
>     </security-constraint>
>     <login-config>
>         <auth-method>FORM</auth-method>
>         <realm-name>This is not used for FORM login</realm-name>
>         <form-login-config>
>             <form-login-page>/login.jsp</form-login-page>
>             <form-error-page>/loginerror.jsp</form-error-page>
>       </form-login-config>
>     </login-config>
>     <security-role>
>         <role-name>admin</role-name>
>     </security-role>
>
>
> And I added the following to geronimo-web.xml:
>
>   <security-realm-name>my-kerberos-realm</security-realm-name>
>    <security>
>         <default-principal>
>             <principal name="anonymous"
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipa
> l"
>             />
>         </default-principal>
>         <role-mappings>
>             <role role-name="admin">
>                 <principal name="administrators"
> designated-run-as="true"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincip
> al"
>                 />
>                 <principal name="awilliams"
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipa
> l"
>                 />
>             </role>
>         </role-mappings>
>     </security>
>
>
> I have created /protected/index.htm, but I have NOT implemented
> /login.jsp or /loginerror.jsp. I am logged into the windows domain as
> "awilliams", so I expect SSO to work. It appears not to, since I get a
> 404 error saying that
> /login.jsp does not exist.
>
> I'd obviously like to get the SSO working through the Windows KDC. I
> presume though that I need the login screens to fallback on. Down the
> road, do I need an extra login module to authenticate against
> ActiveDirectory if the SSO fails?
>
> _______________________________________________
> This message is confidential. It may also be privileged or otherwise protected by work
product immunity or other legal rules. If you have received it by mistake please let us know
by reply and then delete it from your system; you should not copy it or disclose its contents
to anyone. All messages sent to and from Linklaters may be monitored to ensure compliance
with internal policies and to protect our business. Emails are not secure and cannot be guaranteed
to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses.
Anyone who communicates with us by email is taken to accept these risks.
>
> The contents of any email addressed to our clients are subject to our usual terms of
business; anything which does not relate to the official business of the firm is neither given
nor endorsed by it.
>
> The registered address of the UK partnership of Linklaters is One Silk Street, London,
EC2Y 8HQ. Please refer to http://www.linklaters.com/regulation for important information on
the regulatory position of the firm.
>
>

Mime
View raw message