SPNEGO/Kerberos authentication with Tomcat
Version 2.0

Author: Bo Friis, Partner, IT Practice A/S

Keywords: Kerberos, PAC, SPNEGO, J2EE, Security

This article describes how to install and configure the IT Practice SPNEGO/Kerberos security plugins for the Tomcat application server.

Tomcat SPNEGO authenticator Valve and Realm
Tomcat, like other application servers, has a pluggable security interface. It's possible for a developer to replace and add new authentication mechanisms. The security interface is roughly split into two plugin types: Authenticators and Realms. The authenticator handles the authentication using some mechanism or protocol. The Realm takes care of looking up user credentials in some database. We provide an authenticator valve: SPNEGOAuthenticator and a realm: SPNEGOJNDIRealm which is based on the JNDIRealm from the Tomcat project. The SPNEGOAuthenticator plugin handles authentication of the user, using the Kerberos ticket provided in the SPNEGO token. If Active Directory is used as the user account database and Kerberos server, the Kerberos authentication ticket contains the Privilege Access Certificate (PAC). The PAC contains information about the user e.g. the authenticated users group membership. The SPNEGOAuthenticator uses the PAC’s user-group membership information to resolve the j2ee security roles which Tomcat uses to do its authorization. This is done through a PAC (objectSid) to j2ee role mapping file [3].
#PAC objectSid to j2ee security role mapping #SPNEGO/Kerberos, (c) 2005, IT Practice A/S domain.dc.TEST=TEST.NET domain.dc.TEST.objectSid=S-15-72FBE2E6-814C1995-C64F68B9 objectSid.S-15-72FBE2E6-814C1995-C64F68B9-45D=spnegousers@TEST.NET objectSid.S-15-72FBE2E6-814C1995-C64F68B9-200=Domain Admins@TEST.NET objectSid.S-15-72FBE2E6-814C1995-C64F68B9-201=Domain Users@TEST.NET objectSid.S-15-72FBE2E6-814C1995-C64F68B9-202=Domain Guests@TEST.NET

(c) 2005 IT Practice A/S


If a user is member of groups defined in other domains as the logon domain.S-15-72FBE2E6-814C1995-C64F68B9-45D=spnegousers@TEST.NET</role-name> </auth-constraint> </security-constraint> <security-role> <description>spnegousers@TEST.NET</role-name> </security-role> The URL /spnegoauthplugin is protected by a j2ee security role called spnegousers@TEST. Using the objectSid’s mapping in the previous example we see that the user must be member of the Active Directory group defined by the SID: S-15-72FBE2E6-814C1995-C64F68B9-45D (or RID: 45D): objectSid. The group objectSid’s is then constructed from the domain objectSid and the group RID’s. the PAC objectSid’s will contain the list of groups.NET</description> <role-name>spnegousers@TEST.NET. Installing sample web application and configuring security in Tomcat The sample application has one protected URL defined in the deployment descriptor: <security-constraint> <web-resource-collection> <web-resource-name> Restricted Area </web-resource-name> <url-pattern>/spnegoauthplugin</url-pattern> </web-resource-collection> <auth-constraint> <role-name>spnegousers@TEST. The RID’s are only unique from within the domain. When multiple domains are setup in a trust relation.The mapping file contains a list of PAC objectSid’s which are unique security object identifiers in Active Directory. the PAC specifies which domain a group belongs to. (c) 2005 IT Practice A/S 2 .NET This is a group in example Active Directory called “spnegousers” defined in the domain TEST. The RID’s will only be populated if the authenticated user has relation to the logon domain only. The PAC contains group membership definitions in two ways: one containing RID’s (relative identifiers to the authenticated domain) and one containing the SID’s. The j2ee security role can be anything but must match the security roles defined in the Tomcat web application deployment descriptor. which is used when the PAC only contains RID’s. The mapping file contains domain information. The SPNEGOAuthenticator decodes the PAC and computes the group membership objectSid’s which are then mapped to a logical j2ee security role. Note that the object SID’s will be different in other setups.NET.

tomcat. If “fallback” to BASIC authentication is configured. userBase.SPNEGOJNDIRealm" debug="99" connectionName="cn=Administrator. a LDAP based realm is needed to lookup the user in Active that we have configured the web application to be protected by the j2ee security manager in Tomcat. and uses the exact same configuration parameters.2:3268" userBase="DC=TEST.dc=net" connectionPassword="password" connectionURL="ldap://192. version.tomcat. The SPNEGOJNDIRealm is based on the Apache. An example: <Engine …> <Realm className="dk. The URL /spnegosample/spnegopacservletfilter will produce the following output: General User Info (c) 2005 IT Practice A/S 3 . The “basicAuth” property defines that BASIC authentication will be used if SPNEGO should fail. This is handled by the SPNEGOJNDIRealm. This is done bu adding a Valve and optionally a Realm to the Tomcat server.DC=NET" roleName="objectSid" roleSearch="(member={0})" roleSubtree="true" userSubtree="true" /> </Engine> Note that the connectionURL.DC=NET" userSearch="(sAMAccountName={0})" userRoleName="memberOf" roleBase="DC=TEST. connectionName. which is typically caused by configuration errors. Setting up the pac-j2ee mapping (objectSid to j2ee security role) The sample web application contains a URL that shows the PAC and Kerberos content of the SPNEGO encoded Kerberos ticket.war" debug="99"> <Valve className="dk. roleBase must be changed according to specific domain and Active Directory definitions. <Engine …> <Host …> <Context path="/spnegosample" docBase="spnegosample.itp.168.SPNEGOAuthenticator" basicAuth=”false” debug="99"/> </Context> </Host> </Engine> This adds the SPNEGOAuthenticator to the spnegosample web application.itp.xml configuration file. we must configure the Tomcat to handle j2ee security.dc=test.

S-15-72fbe2e6-814c1995-c64f68b9-201=Domain Users@TEST objectSid.getAuthType getUserPrincipal() getUserPrincipal() instanceof SpnegoPrincipal.g etPacLogonInfo() j2ee roles getRemoteUser isUserInRole('spnegousers') isUserInRole('spnegousers@TEST') User PAC info #pac-j2ee.dc.objectSid=S-15-72fbe2e6-814c1995-c64f68b9 objectSid.S-15-72fbe2e6-814c1995-c64f68b9-202=Domain Guests@TEST objectSid. the User PAC info. S-15-72fbe2e6-814c1995-c64f68b9201. shows the objectSid’s including the predefined RID’s. S-1572fbe2e6-814c1995-c64f68b9-202.45d@TEST # REDEFINE THIS ROLE objectSid.NET ver() primaryGroupRid=513 logonDomain=TEST userName=test useridRid=1108 objectSids=[ domain.NET false false ((SpnegoPrincipal) file.S-15-72fbe2e6-814c1995-c64f68b9-200=Domain Admins@TEST objectSid.getUserPrincipal()).SpnegoPrincipal[te st@TEST.getSer HTTP/webserver. S-15-72fbe2e6814c1995-c64f68b9-200.test.itp.TEST.class SPNEGO/Kerberos class dk.NET] true ((SpnegoPrincipal)getUserPrincipal).net@TEST.S-15-72fbe2e6-814c1995-c64f68b9-461=RID. S-1572fbe2e6-814c1995-c64f68b9-200. S-1572fbe2e6-814c1995-c64f68b9-461] logonSrv=SPNEGO fullName=test testesen logonDomainSid=S-15-72fbe2e6814c1995-c64f68b9 [S-15-72fbe2e6-814c1995c64f68b9-45d. S-15-72fbe2e6-814c1995c64f68b9-202.461@TEST # REDEFINE THIS ROLE The last section. S-15-72fbe2e6-814c1995c64f68b9-461] test@TEST.S-15-72fbe2e6-814c1995-c64f68b9-45d=RID. (c) 2005 IT Practice A/S 4 .servletfilter. S-15-72fbe2e6814c1995-c64f68b9-201. This section can be cut-pasted into the pac-j2ee.

DC=TEST.The above User PAC info includes two groups that is not predefined by Microsoft. ----------- Looking at the attribute objectSid we see that the highlighted RID 45D is mapped to the spnegousers group. file are mapped to logical mapping file.CN=Configuration.OU=ou1.DC=NET. This information can be used to replace the RID. 1> whenCreated: 6/23/2004 22:25:16 Romance Standard Time Romance Daylight Time.OU=ou11. Below there is an example of the user defined spnegousers group: Expanding base 'CN=spnegousers.DC=TEST.DC=NET. If everything is setup correctly. 1> objectSid: S-15-72FBE2E6-814C1995-C64F68B9-45D. 2> objectClass: top. This can be downloaded free-of-charge.DC=TEST. CN=Bo Friis.DC=TEST. can be corrected to map the real group name in Active Directory. CN=userxx.DC=NET.DC=TEST.DC=NET 5> member: CN=webserver. 1> whenChanged: 3/20/2005 22:58:53 Romance Standard Time Romance Daylight Time.CN=Schema. it will produce something similar to the following output: General User Info (c) 2005 IT Practice A/S 5 .DC=TEST.. 1> objectCategory: CN=Group.DC=NET. 1> distinguishedName: CN=spnegousers.DC=NET. Nor will groups with the same name in different domains have the same RID. These are groups that are created using the user administration and manually assigned to the authenticated user. Active Directory can be accessed using an LDAP browser. 1> name: spnegousers. 1> sAMAccountType: 268435456.CN=Users. 1> uSNCreated: 5704. Microsoft has one included in their resource kit called LDP.CN=Users.DC=TEST. Non standard Object SID’s and RID’s will be regenerated every time a new domain controller is deployed.45d@TEST entry in the pac-j2ee.DC=NET. The pac-j2ee. The URL /spnegopacservletfilter can be run for each multiple users and the output can be merged into the pac-j2ee.DC=TEST. It is recommended that the auto generated RID codes in with the entry spnegousers@TEST value.CN=Users. 1> cn: spnegousers.CN=Users. 1> uSNChanged: 28627.CN=Users.. 1> sAMAccountName: spnegousers. Testing The URL /spnegosample/spnegoauthplugin activates the HelloWorldServlet which is protected by the Tomcat Authenticator plugin.DC=NET'. 1> objectGUID: 712c3320-dc87-472b-9d80-4d2d16637675.CN=Users.CN=Users. group. 1> groupType: -2147483646.DC=NET. 1> instanceType: 4. Result <0>: (null) Matched DNs: Getting 1 entries: >> Dn: CN=spnegousers.

tomcat. We have shown how to deploy and configure an SPNEGO/Kerberos Tomcat authenticator and SPNEGO/Kerberos servlet filter. since the user never logins in to the Tomcat security manager.SpnegoPrincipal[test] false test false true Note that the user is member of the spnegousers@TEST group.getAuthType getUserPrincipal() getUserPrincipal() instanceof SpnegoPrincipal. architect and developer of the PortalProtect product and the architect and developer of SPNEGO/Kerberos JGSS. 2004. (c) 2005 IT Practice A/S 6 .html About the author Bo Friis is working as a security consultant for IT Practice in Denmark. http://appliedcrypto.pdf [3] PAC (Privilege Access Certificate) in a Java Web Server World. Conclusion Kerberos and SPNEGO enables desktop single sign-on on web applications deployed on the Tomcat server. It is based on Active Directory and the Tomcat running on top of SUN JDK 1. 2005. The result was donated to the open source OpenOCES project. He has specialized in security protocols and implementations.509 certificates over the XMLDSIG standard. He is working on security solutions for various customers. He has designed and developed the initial version of OpenSign and OpenLogon. When using the Servlet Filter.itp.class getRemoteUser isUserInRole('spnegousers') isUserInRole('spnegousers@TEST') SPNEGO/Kerberos class http://appliedcrypto. http://jakarta. References [1] Tomcat documentation pages.0doc/realm-howto.html [2] SPNEGO/Kerberos authentication using JGSS. a set of applets that supports digital signature using X. This is only possible when using the SPNEGOAuthenticator plugin.4+.apache. He is the co. Friis. the method isUserInRole() will always return false. Friis.

according to license terms: This product includes software developed by the Apache Software Foundation (http://www. (c) 2005 IT Practice A/S 7 . He also holds a Master of Science degree in Electrical Engineering from the Technical University of Denmark.Bo Friis holds a Masters degree in Cryptography from the University of Aarhus in Denmark. appliedcrypto.apache. the following message must be (c) 2005 IT Practice and Bo Copyright Notice and Legal Stuff All software parts of the SPNEGO/Kerberos product are copyright IT Practice A/S or their respective parties. When using the SPNEGOJNDIRealm for Tomcat. He can be reached at email: jbf_AT_practice. Copyright (c) 19992002 The Apache Software". All rights reserved.

Sign up to vote on this title
UsefulNot useful