5.8.2. Desktop SSO using SPNEGO

To configure the desktop SSO using SPNEGO configure the following:

Security Domain
System Properties
Web Application

Procedure 5.5. Configure Desktop SSO using SPNEGO

Configure Security Domain

Configure the security domains to represent the identity of the server and to secure the web application.

Example 5.15. Security Domain Configuration

<security-domains>

    <security-domain name="host" cache-type="default">

      <authentication>

        <login-module code="Kerberos" flag="required">

          <module-option name="storeKey" value="true"/>

          <module-option name="useKeyTab" value="true"/>

          <module-option name="principal" value="host/testserver@MY_REALM"/>

          <module-option name="keyTab" value="/home/username/service.keytab"/>

          <module-option name="doNotPrompt" value="true"/>

          <module-option name="debug" value="false"/>

        </login-module>

       </authentication>

     </security-domain>

   

     <security-domain name="SPNEGO" cache-type="default">

       <authentication>

         <login-module code="SPNEGO"  flag="requisite">

           <module-option name="password-stacking" value="useFirstPass"/>

           <module-option name="serverSecurityDomain" value="host"/>

         </login-module>


         <!-- Login Module For Roles Search -->

       </security-domain>

Setup the System Properties

If required, the system properties can be set in the domain model.

Example 5.16. Configure System Properties

<system-properties>

      <property name="java.security.krb5.kdc" value="mykdc.mydomain"/>

      <property name="java.security.krb5.realm" value="MY_REALM"/>

    </system-properties>

Configure Web Application
It is not possible to override the authenticators, but it is possible to add the NegotiationAuthenticator as a valve to your jboss-web.xml descriptor to configure the web application.
Note
The valve requires the security-constraint and login-config to be defined in the web.xml file as this is used to decide which resources are secured. However, the chosen auth-method is overridden by this authenticator.
Example 5.17. Configure Web Application
```
 <!DOCTYPE jboss-web PUBLIC
  "-//JBoss//DTD Web Application 2.4//EN"
  "http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd">   

  <jboss-web>

    <security-domain>java:/jaas/SPNEGO</security-domain>

    <valve>

      <class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>

    </valve>

  </jboss-web>
```
The web application also requires a dependency defining in META-INF/MANIFEST.MF so that the JBoss Negotiation classes can be located.
Example 5.18. Define Dependency in META-INF/MANIFEST.MF
```
    Manifest-Version: 1.0

    Build-Jdk: 1.6.0_24

    Dependencies: org.jboss.security.negotiation
```

Report a bug

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

5.8.2. Desktop SSO using SPNEGO

Where did the comment section go?