Integrated Windows Authentication (SPNEGO) for Web Applications on JBoss EAP 6.1
Posted: July 7th, 2013 | Author: sabre1041 | Filed under: Technology | Tags: JBoss, PicketLink, SPNEGO | 16 Comments »Web Application Configuration
Next, the web application itself must be secured. Several files will be modified during this step and are located in the webapp/WEB-INF folder of the web application. These configurations are framework agnostic and can be applied to any web application which can be deployed on the JBoss server. The first step is to configure the login and security sections of the web descriptor file (web.xml). Add the following to this file
<login-config> <auth-method>SPNEGO</auth-method> <realm-name>SPNEGO</realm-name> </login-config> <security-constraint> <web-resource-collection> <web-resource-name>Sample Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <security-role> <description> The role that is required to log in to the Application </description> <role-name>USER</role-name> </security-role>
Next, configure the jboss-web.xml vendor specific deployment file as follows:
<?xml version="1.0" encoding="UTF-8"?> <jboss-web> <context-root>spnego-app</context-root> <security-domain>SPNEGO</security-domain> <valve> <class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name> </valve> <jacc-star-role-allow>true</jacc-star-role-allow> </jboss-web>
The context-root and security-domain attributes are fairly straightforward to anyone with prior JBoss Administration experience. Inside the value tag is where an authenticator can be specified. Authenticators are used to enforce the security-constraint sections within the web.xml file. In previous versions of EAP, the configuration on the server itself required modification, but in EAP 6, it can be specified here. Next, by setting the the jcc-start-role-allow property, a * value can be used within the security-constraint section to allow for several different role names to be used to access the application if it is desired. In the web.xml specified above, only users with the USER role can access the application.
Finally, the jboss-deployment-structure.xml file, which is central to the new modular class loading mechanism found in EAP 6, must be configured. Since SPNEGO is part of the JBoss Negotiation toolkit and not part of the core set of automatically activated modules, is must be explicitly configured to be loaded when the application is deployed. Configure this file with the following content:
<?xml version='1.0' encoding='UTF-8'?> <jboss-deployment-structure xmlns="urn:jboss:deployment-structure:1.1"> <deployment> <dependencies> <module name="org.jboss.security.negotiation" /> </dependencies> </deployment> </jboss-deployment-structure>
The JBoss server is now configured to support integrated authentication
Good stuff man. I will have to give it a shot. Could be very useful for me 🙂
Thanks a lot for that great tutorial. It’s the best and most comprehensive I’ve ever seen.
Nevertheless I’ve been fallen (in my environment) into some traps and I want to share some hints:
– the service user AND the calling user have to be flagged “AES256 for Kerberos enabled”; otherwise I’ve got a GSSException: “Checksum failed”; (maybe they only have to have the same encryptions enabled/disabled)
– the SPN assigned to the service user is not allowed to be assigned to ANY other user
– there may be a global Kerberos configuration (C:\Windows\krb5.ini) on the machine running the JBoss; check that for correct values
– “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy” has to be installed on the server for AES256 support
Some corrections:
– the code of the login module is “UsersRoles” and not “UserRoles” (page 3)
– the code of the login module is “SPNEGOUsers” and not “SPNEGO” (page 3)
Maybe an interesting scenario to use SPNEGO for users logged into the domain, authenticate users not logged into the domain (e.g. working with a local account) using username/password against AD but load roles from AD in both cases:
…
Thank you!
Alex,
Thanks for the sharing some of your experiences with SPNEGO in your environment. I’m sure others implementing in a more secure environment will find the information very useful.
In addition, good catch pointing out the error with the UsersRoles login module. I have gone in and made the appropriate corrections to the post.
The SPNEGO login module can be represented as either SPNEGOUsers or just plain old SPNEGO. The EAP 6.1 Security Guide has examples of both implementations.
Certainly an interesting scenario you poised. You may be able to accomplish this by chaining login modules and tweaking their configuration types. Very interested to hear if you are able to accomplish this.
– Andy
Big thanks! Managed to get it to work without major hiccups.
Is it possible to make this work without using roles? That is, any user that is authenticated in Active Directory would be able to log in without requiring extra configuration in the roles.properties.
Chris, you can use the AdvancedLdapLoginModule. See the following link for more information on how to configure it with SPNEGO:
https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Negotiation_User_Guide/ch02s04s02.html
Example Configuration:
https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Negotiation_User_Guide/apas02.html#AdvLDAP_on_AD
I currently have CAS configured with JBOSS 5 and need to move over to JBOSS 7. I already have keytab files and SPNs generated.
I have 2 configurations. 1. Username and password is the same (default) 2. SPENGO authentication to Active Directory. The new CAS zip file needs to be build with Ant or Maven. I did not see mention of that in your post. is there something I am missing?
Many, many thanks for this. I managed to get IWA working with our app without to many problems thanks to your very clear blog.
I wondered if you knew of any way that an application could be configured to use SPNEGO/IWA if available and to fall back to a form based authentication if not?
John,
You can add a form-login-config section to the login-config section of your web.xml. If SPNEGO authentication fails, it will fallback to the form based authentication
I configured the jboss-eap-6.1 as mentioned in this tutorial when I test the negotiation toolkit security domain shows following error unable to obtain the password from user and secured showing 401 , can any one help
[…] The first thing that I need to do is identify who the user is. After reading Block 87’s article, I should start looking at SPNEGO and setting up each of the environments. From that point, I […]
Hi Andy,
Thanks a lot for very great tutorial on integrated windows authentication for web applications and it is very well described step by step in good detail.
Hi,
I am configuring kerberos for JBOSS EAP 6.4. I followed all the steps mentioned in link https://access.redhat.com/webassets/avalon/d/Red_Hat_JBoss_Enterprise_Application_Platform-6.4-How_to_Setup_SSO_with_Kerberos-en-US/Red_Hat_JBoss_Enterprise_Application_Platform-6.4-How_to_Setup_SSO_with_Kerberos-en-US.pdf but getting
15:24:43,139 INFO [stdout] (http-/127.0.0.1:8080-1) [Krb5LoginModule
] authentication failed
15:24:43,140 INFO [stdout] (http-/127.0.0.1:8080-1) Client not found in Kerbero
s database (6)
Hi everyone:I’ve aadelry completed each step of these processes. AD Users are able to authenticate through SQUID to surf by internet, BUT!! after 2 hours -sometimes more or less- suddenly some users -one or two- couln’t surf by Internet Internet Explorer requests for new credentials (user/password).. Then AD users type them, but They aren’t able to surf by internet I checked that an AD user type user/password correctly but the prompt appears every time From cache.log these lines are recorded:: -2011/02/10 17:58:15| squid_kerb_auth: Got YR YIIGJgYGKwYBBQUCoIIGGjCCBhagMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBeAEggXcYIIF2AYJKoZIhvcSAQICAQBuggXHMIIFw6ADAgEFoQMCAQ6iBwMFACAAAACjggS7YYIEtzCCBLOgAwIBBaENGwtHSUxBVExBLkNPTaIoMCagAwIBAqEfMB0bBEhUVFAbFVBFUFJPWFkwMS5HSUxBVExBLkNPTaOCBHEwggRtoAMCARKhAwIBAqKCBF8EggRb0CrGoBRyYtVTklzkviLTrUm2PaUeSEwiOnTMPXpXZpiqlXeIzc7EyCtLUu5YIjr8kfWunnManLdfPzFZzvlpwSV5XgpvYimVwwjijX+1M6ASwLQAoMuW7p9Km7ebFGenPsfD2stMiKvi+abaw0oqp3262aYsQKCcN+qDXyU7whJ2Li9tr3MeRnYEc6QLXMbB2CDThA7KkRf+HosCJD54W8Wofk3h0RKERMYpUkfugI2kfakkcZS/QVE241CMj8Y+iF6YwcQTOZ1FLikPveTuZu4wbkR2ywyI5/OYq1iU5oKRmh+iG3XIUMdv8vtJ3c74zrwfAS387D1wfPVw1mnoCDC6mg2NtQa2POrEsJV116fakrRt6dDRK8v6uKFXyytkZG5H+9R8cwaYXYMhGvMVAd46RB62PYerDon0V/UZh9A8Yhr9xfmnQekvIgcZYlD2a8c+SgwRf3EoOYTxa2XF93uzyLM7N/7uw+Ud0J0oSlTOOZ8N5awJ43ISC+xVsqX+lHlEDhpGhYjxfLK6EZoOxdJA9eoWWDMkndgsAhRnK06kuwZWLxGq9m1QjX1THqTy+CK0NcD7FVEJ7DpVVWYHEZoETpJN6QmwIZnPq5TsJcRzOJiL03VtKZiM01vtUGTIw5bXTQZMZFA16GlTK1j0jynjxTMDCMGzJ0prk7q6Z4jtvRga3EJdgRf0HmsUDG/r+/lDECkpPV3L7drYCdqJuyJxdMOfJM5sqNtGKK/qKYlilkfAhwOPqk/hLIue3My44Am7vj8IaJkExpK1DpN3fcRIFwUlwf81CxI1jBF4wTfHlRdYwXVgci1pxlA8wnlD24Ebiacwz9EwQfj2VkUrZoeAyt3/gZrhVxyDfSyvhQcjXcLbUDGdOPjKdki4BVGhIo3wGN+1ZZjGnitDusb4ONIiU5Md1g6d325smXiLWvSFtiBhbVBFB6CByXLx18JJ57DVSgxjkVO6nhTloltEAb8vpsXipgHkeOkmFAcAILqtugP2jFe5kwE/aZ5X9kZTXCiRaOqJItniATP2a3DPqSP0Bpp0mHx6xZv3ZzPy50rZ1aKOGj5rUlVW/YuuW2ULB2weyen44OMvkhceLFAsXppnlAmQUFB5xf5Xy2HjEuktOi8Ka7lfR2rbaYykVaEWE3DEHbd8iF8Ws1emBIaSLekMtc9HjOq4DWdXYTTOmxPLbIvuagmjGqffaDnLIBhjV7IG6q07sah0cTVGdylq/qkGTjyxi/F0f1Pk8uEncVLQ9Kib4lq9+h5OOykifeAtboTSf09skjpMB+G7qa3QD+YOiiqA4PpolEnVrHFCbMm69USlfcppzQ2zklQIEIFNOAzWRkktVgqy74B8I8SWsPLCWz54Y3IvdS8nQYElCPd821QDjAao9vFuYOnELLmpAG0R5sEODqb+EKzXecsXr5vxVoBn5m9TgfbI6XCxQVfADaaaA1O9yhd3JNI6IeH69cWH0mhil68HxQOkge4wgeugAwIBEqKB4wSB4NRMfqBGyTBUUvPKKu1cKscC63v+d5WPmFbyYUYdZ0EB/USQZWSnhWMvbEWFLiRYThJG6UL4op4nNGuw+GuW6PKQi+eB97o4NSGqWN2kvtHtc0YAGSmMma17xIkhUfRtd9j1k/+K6kIKCFN96hDiapeppnE3Tj5fy0MQf+atYDaKV35ai7guVPFxRZFfBvvRdkLntEPAqy4JjIL8ySeUUYaaqyYM97Z6Db43KodJceoECCRZZ6Y1SELwFcKpBoBlGj670kZH1hPKwsncy80TxHSjz1xU1hgYBDRbKjtYP0cH’ from squid (length: 2107).2011/02/10 17:58:15| squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Key table entry not found -I’ve been using:+RHEL 5.0+SQUID 3.0+modules: (squid_kerb_auth1.0.7 and squid_kerb_ldap1.2.1a) from squid.confI’ve configured the option debug_options ALL,1 33,2 28,9 in order to get more records.. but all these records aren’t useful.Can somebody help?Thanks in advance.
Great post and detailed explanation. However, I still have no clue how to implement this in the servlet. I am working on a Struts 1.3 app. And I need to add the SSO with the existing login system – backed in RDBMS. Is there any sample codes or a clue to implementing the SSO auth within an existing webapp?
Thanks, nice post
Let’s discuss the not so uncommon case where there are not one but several Web Application servers. For example these may be duplicates of the same application (prod, uat, dev, etc) or they may simply be running different application.
In this case would you recommend to create one AD account per app server or would it suffice to have only one AD account in ttal ? Of course the SPN and the keytab file needs to be per-server, I understand that much, but I’m not sure why you would need one AD account per server ??