Chapter 2. Application Server Configuration

To configure JBoss Negotiation to run on JBoss Enterprise Application Platform, you need to do the following:
  • Extend the core authentication mechanism to support JBoss Negotiation (add the SPNEGO authenticator).
  • Define the application security domain, which allows an application to communicate with the application server through the SPNEGOLoginModule.
  • Define the server security domain, which allows the application server to authenticate itself to the KDC for the first time.
You may also need to configure the realm properties to allow the server to locate the authentication realm (Kerberos realm) if the server was not previously configured to do so.
JBoss Negotiation comes with Negotiation Toolkit, a web application, which allows you to test your SPNEGO setup. Consider using the application before testing on your own web applications (refer to Chapter 8, Negotiation Toolkit).

2.1. Adding the SPNEGO Authenticator

To add the SPNEGO authenticator to the core authentication mechanism, do the following:
  1. Open the $JBOSS_HOME/server/PROFILE/deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml file for editing.
  2. Locate the property authenticators.
  3. Add the following entry to the property:
    <property name="authenticators">
      <map class="java.util.Properties" keyClass="java.lang.String" valueClass="java.lang.String">
        <entry>
          <key>SPNEGO</key>
          <value>org.jboss.security.negotiation.NegotiationAuthenticator</value>
        </entry>
    
    The key value is arbitrary; however, if you want to use the Negotiation Toolkit to test your server setup, make sure you use the SPNEGO value as the tool works only with the SPNEGO authenticator with this name.