5.8.2. Desktop SSO using SPNEGO
To configure the desktop SSO using SPNEGO configure the following:
- Security Domain
- System Properties
- Web Application
Procedure 5.5. Configure Desktop SSO using SPNEGO
Configure Security Domain
Configure the security domains to represent the identity of the server and to secure the web application.Example 5.15. Security Domain Configuration
<security-domains> <security-domain name="host" cache-type="default"> <authentication> <login-module code="Kerberos" flag="required"> <module-option name="storeKey" value="true"/> <module-option name="useKeyTab" value="true"/> <module-option name="principal" value="host/testserver@MY_REALM"/> <module-option name="keyTab" value="/home/username/service.keytab"/> <module-option name="doNotPrompt" value="true"/> <module-option name="debug" value="false"/> </login-module> </authentication> </security-domain> <security-domain name="SPNEGO" cache-type="default"> <authentication> <login-module code="SPNEGO" flag="requisite"> <module-option name="password-stacking" value="useFirstPass"/> <module-option name="serverSecurityDomain" value="host"/> </login-module> <!-- Login Module For Roles Search --> </security-domain>
Setup the System Properties
If required, the system properties can be set in the domain model.Example 5.16. Configure System Properties
<system-properties> <property name="java.security.krb5.kdc" value="mykdc.mydomain"/> <property name="java.security.krb5.realm" value="MY_REALM"/> </system-properties>
Configure Web Application
It is not possible to override the authenticators, but it is possible to add theNegotiationAuthenticator
as a valve to your jboss-web.xml descriptor to configure the web application.Note
The valve requires thesecurity-constraint
andlogin-config
to be defined in the web.xml file as this is used to decide which resources are secured. However, the chosenauth-method
is overridden by this authenticator.Example 5.17. Configure Web Application
<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.4//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd"> <jboss-web> <security-domain>java:/jaas/SPNEGO</security-domain> <valve> <class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name> </valve> </jboss-web>
The web application also requires a dependency defining inMETA-INF/MANIFEST.MF
so that the JBoss Negotiation classes can be located.Example 5.18. Define Dependency in
META-INF/MANIFEST.MF
Manifest-Version: 1.0 Build-Jdk: 1.6.0_24 Dependencies: org.jboss.security.negotiation