JBoss Negotiation in AS7 Get Kerberos authentication working Josef Cacek Senior QE Engineer, Red Hat DevConf 2013
Dec 05, 2014
JBoss Negotiation in AS7Get Kerberos authentication working
Josef CacekSenior QE Engineer, Red HatDevConf 2013
Agenda
Technologies introduction Quickstart Configuration Troubleshooting
Introduction: Kerberos
ticket based network authentication protocol
JBoss Negotiation
Negotiation (SPNEGO) support for JBoss AS ● protocols
● Kerberos● NTLM
● components● authenticator – a JBoss Web valve● JAAS Login modules● toolkit to check the configuration
Quickstart
https://github.com/kwart/spnego-demo
https://github.com/kwart/kerberos-using-apacheds
JBoss AS configuration
$JBOSS_HOME/standalone/configuration/standalone.xml
standalone.xml – security domains (1)
<security-domain name="host" cache-type="default"> <authentication> <login-module code="Kerberos" flag="required"> <module-option name="debug" value="true"/> <module-option name="storeKey" value="true"/> <module-option name="refreshKrb5Config" value="true"/> <module-option name="useKeyTab" value="true"/> <module-option name="doNotPrompt" value="true"/> <module option ‑ name="keyTab" value="/path/to/http.keytab"/> <module-option name="principal" value="HTTP/[email protected]"/> </login-module> </authentication></security-domain>
standalone.xml – security domains (2)
<security-domain name="SPNEGO" cache-type="default">
<authentication> <login-module code="SPNEGO" flag="required"> <module-option name="serverSecurityDomain" value="host"/> </login-module> </authentication>
<mapping> <mapping-module code="SimpleRoles" type="role"> <module-option name="[email protected]" value="Admin"/> <module-option name="[email protected]" value="User"/> </mapping-module> </mapping>
</security-domain>
standalone.xml – Kerberos related system properties
<system-properties> <property name="java.security.krb5.conf" value="/path/to/krb5.conf"/> <property name="java.security.krb5.debug" value="true"/> <property name="jboss.security.disable.secdomain.option" value="true"/></system-properties>
Web application configuration
WAR – Web archive
WEB-INF/web.xml
define your security constraints and roles
<security-constraint> <web-resource-collection> <web-resource-name>Admin Data</web-resource-name> <url-pattern>/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>Admin</role-name> </auth-constraint></security-constraint>
<security-role> <role-name>Admin</role-name></security-role>
security domain custom authenticator
<jboss-web> <security-domain>SPNEGO</security-domain> <valve> <class name‑ >org.jboss.security.negotiation.NegotiationAuthenticator</class-name> </valve></jboss-web>
WEB-INF/jboss-web.xml
META-INF/jboss-deployment-structure.xml
define module dependencies
<jboss-deployment-structure> <deployment> <dependencies> <module name="org.jboss.security.negotiation" /> </dependencies> </deployment></jboss-deployment-structure>
Client configuration
krb5.conf
configure the realm
[libdefaults]default_realm = MY-COMPANY.CZ
[realms]MY-COMPANY.CZ = {
kdc = kerberos.my-company.cz:688}
[domain_realm].my-company.cz = MY-COMPANY.CZ
Use KRB5_CONFIG environment variable if you don't want to change system wide /etc/krb5.conf
$ export KRB5_CONFIG=/path/to/krb5.conf
Browser configuration – allow negotiation for the domain
Firefox – use about:config in the address bar
network.negotiate-auth.delegation-uris=.my-company.cznetwork.negotiate-auth.trusted-uris =.my-company.cz
Chromium
$ chromium-browser \> --auth-server-whitelist=.my-company.cz \> --auth-negotiate-delegate-whitelist=.my-company.cz
And if it still doesn't work …
Pitfalls – principal names
The Service Principal Name (SPN) must follow the rule<service type> / <hostname> @ <realm>
For the request
http://my-server.my-company.cz/
use SPN:HTTP/[email protected]
Mixing IPs and hostnames usually doesn't work:
HTTP/[email protected]://127.0.0.1/
Pitfalls - IPv6
HTTP:● http://[0:0:0:0:0:0:0:1]:8080/my-app/● HTTP/[0:0:0:0:0:0:0:1]@JBOSS.ORG
LDAP (can be used for role-mapping):● ldap://[0:0:0:0:0:0:0:1]:389● ldap/0:0:0:0:0:0:0:[email protected]
Pitfalls - IBM Java
host's login module<login-module code="com.ibm.security.auth.module.Krb5LoginModule" flag="required" >
● module options are not the same! krb5.conf – check [libdefaults] section● encryption support
● default_tgs_enctypes● default_tkt_enctypes● allow_weak_crypto
● forwardable ticktet when a client uses Krb5LoginModule● forwardable = true
Thank you.