Chapter 13. Authentication and Authorization

13.1. Kerberos and SPNEGO Integration

13.1.1. About Kerberos and SPNEGO Integration

Kerberos is an authentication method that is designed for open network computing environments. It works on the basis of a ticket and authenticator to establish the identity of both the user and the server. It helps the two nodes communicating over a non secure environment to establish their identity to each other in a secured manner.
SPNEGO is an authentication method used by a client application to authenticate itself to the server. This technology is used when the client application and the server trying to communicate with each other are not sure of the authentication protocol the other supports. SPNEGO determines the common GSSAPI mechanisms between the client application and the server and then dispatches all further security operations to it.
Kerberos and SPNEGO Integration

In a typical setup, the user logs into a desktop which is governed by the Active Directory domain. The user then uses the web browser, either Firebox or Internet Explorer, to access a web application that uses JBoss Negotiation hosted on the JBoss EAP. The web browser transfers the desktop sign on information to the web application. JBoss EAP uses background GSS messages with the Active Directory or any Kerberos Server to validate the user. This enables the user to achieve a seamless SSO into the web application.

13.1.2. Desktop SSO using SPNEGO

To configure the desktop SSO using SPNEGO configure the following:
  • Security Domain
  • System Properties
  • Web Application

Procedure 13.1. Configure Desktop SSO using SPNEGO

  1. Configure Security Domain

    Configure the security domains to represent the identity of the server and to secure the web application.

    Example 13.1. Security Domain Configuration

    <security-domains>
    
        <security-domain name="host" cache-type="default">
    
          <authentication>
    
            <login-module code="Kerberos" flag="required">
    
              <module-option name="storeKey" value="true"/>
    
              <module-option name="useKeyTab" value="true"/>
    
              <module-option name="principal" value="host/testserver@MY_REALM"/>
    
              <module-option name="keyTab" value="/home/username/service.keytab"/>
    
              <module-option name="doNotPrompt" value="true"/>
    
              <module-option name="debug" value="false"/>
    
            </login-module>
    
           </authentication>
    
         </security-domain>
    
       
    
         <security-domain name="SPNEGO" cache-type="default">
    
           <authentication>
    
             <login-module code="SPNEGO"  flag="requisite">
    
               <module-option name="password-stacking" value="useFirstPass"/>
    
               <module-option name="serverSecurityDomain" value="host"/>
    
             </login-module>
    
    
             <!-- Login Module For Roles Search -->
    
           </security-domain>
    
  2. Setup the System Properties

    If required, the system properties can be set in the domain model.

    Example 13.2. Configure System Properties

    <system-properties>
    
          <property name="java.security.krb5.kdc" value="mykdc.mydomain"/>
    
          <property name="java.security.krb5.realm" value="MY_REALM"/>
    
        </system-properties>
    
  3. Configure Web Application

    It is not possible to override the authenticators, but it is possible to add the NegotiationAuthenticator as a valve to your jboss-web.xml descriptor to configure the web application.

    Note

    The valve requires the security-constraint and login-config to be defined in the web.xml file as this is used to decide which resources are secured. However, the chosen auth-method is overridden by this authenticator.

    Example 13.3. Configure Web Application

     <!DOCTYPE jboss-web PUBLIC
      "-//JBoss//DTD Web Application 2.4//EN"
      "http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd">
    
      <jboss-web>
    
        <security-domain>SPNEGO</security-domain>
    
        <valve>
    
          <class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>
    
        </valve>
    
      </jboss-web>
    
    The web application also requires a dependency defining in META-INF/MANIFEST.MF so that the JBoss Negotiation classes can be located.

    Example 13.4. Define Dependency in META-INF/MANIFEST.MF

        Manifest-Version: 1.0
    
        Build-Jdk: 1.6.0_24
    
        Dependencies: org.jboss.security.negotiation
    

13.1.3. Configure JBoss Negotiation for Microsoft Windows Domain

This section describes how to configure the accounts required for JBoss Negotiation to be used when JBoss EAP is running on a Microsoft Windows server, which is a part of the Active Directory domain.
In this section, the hostname that is used to access the server as is referred to as {hostname}, realm is referred to as {realm}, domain is referred to as {domain}, and the server hosting the JBoss EAP instance is referred to as {machine_name}.

Procedure 13.2. Configure JBoss Negotiation for Microsoft Windows Domain

  1. Clear Existing Service Principal Mappings

    On a Microsoft Windows network some mappings are created automatically. Delete the automatically created mappings to map the identity of the server to the service principal for negotiation to take place correctly. The mapping enables the web browser on the client computer to trust the server and attempt SPNEGO. The client computer verifies with the domain controller for a mapping in the form of HTTP{hostname}.
    The following are the steps to delete the existing mappings:
    • List the mapping registered with the domain for the computer using the command, setspn -L {machine_name}.
    • Delete the existing mappings using the commands, setspn -D HTTP/{hostname} {machine_name} and setspn -D host/{hostname} {machine_name}.
  2. Create a host user account.

    Note

    Ensure the host user name is different from the {machine_name}.
    In the rest of the section the host user name is referred to as {user_name}.
  3. Define the mapping between the {user_name} and {hostname}.

    • Run the following command to configure the Service Principal Mapping, ktpass -princ HTTP/{hostname}@{realm} -pass * -mapuser {domain}\{user_name}.
    • Enter the password for the user name when prompted.

      Note

      Reset the password for the user name as it is a prerequisite for exporting the keytab.
    • Verify the mapping by running the following command, setspn -L {user_name}
  4. Export the keytab of the user to the server on which EAP JBoss is installed.

    Run the following command to export the keytab, ktab -k service.keytab -a HTTP/{hostname}@{realm}.

    Note

    This command exports the ticket for the HTTP/{hostname} principal to the keytab service.keytab, which is used to configure the host security domain on JBoss.
  5. Define the principal within the security domain as follows:
    <module-option name="principal">HTTP/{hostname}@{realm}</module-option>