You are on page 1of 23

JBoss Negotiation in AS7

Get Kerberos authentication working

Josef Cacek
Senior QE Engineer, Red Hat
DevConf 2013

Agenda

Technologies introduction

Quickstart

Configuration

Troubleshooting

Introduction: Kerberos

ticket based network authentication protocol

JBoss Negotiation

Negotiation (SPNEGO) support for JBoss AS


protocols
Kerberos
NTLM
components
authenticator a JBoss Web valve
JAAS Login modules
toolkit to check the configuration

Quickstart

https://github.com/kwart/spnego-demo
https://github.com/kwart/kerberos-using-apacheds

JBoss AS configuration
$JBOSS_HOME/standalone/configuration/standalone.xml

standalone.xml security domains (1)

<security-domain name="host" cache-type="default">


<authentication>
<login-module code="Kerberos" flag="required">
<module-option name="debug" value="true"/>
<module-option name="storeKey" value="true"/>
<module-option name="refreshKrb5Config" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="doNotPrompt" value="true"/>
<moduleoptionname="keyTab"
value="/path/to/http.keytab"/>
<module-option name="principal"
value="HTTP/localhost@JBOSS.ORG"/>
</login-module>
</authentication>
</security-domain>

standalone.xml security domains (2)


<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="required">
<module-option name="serverSecurityDomain"
value="host"/>
</login-module>
</authentication>
<mapping>
<mapping-module code="SimpleRoles" type="role">
<module-option name="jduke@JBOSS.ORG" value="Admin"/>
<module-option name="hnelson@JBOSS.ORG" value="User"/>
</mapping-module>
</mapping>
</security-domain>

standalone.xml Kerberos related system properties

<system-properties>
<property
name="java.security.krb5.conf"
value="/path/to/krb5.conf"/>
<property
name="java.security.krb5.debug"
value="true"/>
<property
name="jboss.security.disable.secdomain.option"
value="true"/>
</system-properties>

Web application configuration

WAR Web archive

WEB-INF/web.xml

define your security constraints and roles

<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Data</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>Admin</role-name>
</security-role>

WEB-INF/jboss-web.xml

security domain

custom authenticator

<jboss-web>
<security-domain>SPNEGO</security-domain>
<valve>
<classname>org.jboss.security.negoti
ation.NegotiationAuthenticator</class-name>
</valve>
</jboss-web>

META-INF/jboss-deployment-structure.xml

define module dependencies

<jboss-deployment-structure>
<deployment>
<dependencies>
<module
name="org.jboss.security.negotiation" />
</dependencies>
</deployment>
</jboss-deployment-structure>

Client configuration

krb5.conf

configure the realm


[libdefaults]
default_realm = MY-COMPANY.CZ
[realms]
MY-COMPANY.CZ = {
kdc = kerberos.my-company.cz:688
}
[domain_realm]
.my-company.cz = MY-COMPANY.CZ

Use KRB5_CONFIG environment variable if you don't


want to change system wide /etc/krb5.conf
$ export KRB5_CONFIG=/path/to/krb5.conf

Browser configuration allow negotiation for the domain

Firefox use about:config in the address bar


network.negotiate-auth.delegation-uris=.my-company.cz
network.negotiate-auth.trusted-uris
=.my-company.cz

Chromium
$ chromium-browser \
> --auth-server-whitelist=.my-company.cz \
> --auth-negotiate-delegate-whitelist=.my-company.cz

And if it still doesn't work

Pitfalls principal names

The Service Principal Name (SPN) must follow the rule


<service type> / <hostname> @ <realm>
For the request
http://my-server.my-company.cz/
use SPN:
HTTP/my-server.my-company.cz@MYCOMP.CZ

Mixing IPs and hostnames usually doesn't work:


HTTP/localhost@MYCOMP.CZ
http://127.0.0.1/

Pitfalls - IPv6

HTTP:
http://[0:0:0:0:0:0:0:1]:8080/my-app/
HTTP/[0:0:0:0:0:0:0:1]@JBOSS.ORG

LDAP (can be used for role-mapping):


ldap://[0:0:0:0:0:0:0:1]:389
ldap/0:0:0:0:0:0:0:1@JBOSS.ORG

Pitfalls - IBM Java

host's login module

<login-module
code="com.ibm.security.auth.module.Krb5LoginModule"
flag="required" >

module options are not the same!


krb5.conf check [libdefaults] section
encryption support
default_tgs_enctypes
default_tkt_enctypes
allow_weak_crypto
forwardable ticktet when a client uses Krb5LoginModule
forwardable = true

Thank you.