You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Randy Oun <ra...@ounism.com> on 2018/04/23 11:27:53 UTC
Help with SPNEGO Pass-Through
Currently I'm configuring Tomcat 8.5 with Integrated Windows
Authentication/SPNEGO and have a question on proper roles in security
and auth contraints. I have completed the instructions in the
Integrated Windows Authentication doc
(https://tomcat.apache.org/tomcat-8.5-doc/windows-auth-howto.html) and
it appears the Kerberos handshake is working.
The difficulty comes when applying security contraints to an
application which previously had none applied. The application uses
it's own form based authentication system and does not rely upon
Tomcat's user database mechanisms. The intent was to write custom
code in the application to use the Kerberos ticket for single sign-on.
The main question: is it possible to bypass or pass-through the
Kerberos header without having Tomcat enforce security or auth
contraints while enabling SPNEGO? If so, what is the proper config?
Ultimately we want to trust to the Kerberos token and avoid any
unnecessary re-authentication. I've tried advice from many articles
online with no success.
Thank you in advance,
RandyO
===================
Some data:
=========
Version.sh
=========
$ ./version.sh
Using CATALINA_BASE: /opt/apache-tomcat-8.5.23
Using CATALINA_HOME: /opt/apache-tomcat-8.5.23
Using CATALINA_TMPDIR: /opt/apache-tomcat-8.5.23/temp
Using JRE_HOME: /usr/lib/jvm/jre
Using CLASSPATH:
/opt/apache-tomcat-8.5.23/bin/bootstrap.jar:/opt/apache-tomcat-8.5.23/bin/tomcat-juli.jar
Server version: Apache Tomcat/8.5.23
Server built: Sep 28 2017 10:30:11 UTC
Server number: 8.5.23.0
OS Name: Linux
OS Version: 3.10.0-693.11.6.el7.x86_64
Architecture: amd64
JVM Version: 1.8.0_151-b12
JVM Vendor: Oracle Corporation
========
web.xml
========
<security-constraint>
<web-resource-collection>
<web-resource-name>AuthApp</web-resource-name>
<url-pattern>/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
========
krb5 debug
========
EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
MemoryCache: add
1523981725/001290/C2FA3E950212F1F51A0C6BA137498AF0/USER@DOMAIN.ORG to
USER@DOMAIN.ORG|HTTP/SPN@DOMAIN.ORG
KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 1251591629
EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 1008854003
Constrained deleg from GSSCaller{UNKNOWN}
Found ticket for HTTP/SPN@DOMAIN.ORG to go to krbtgt/DC@DOMAIN.ORG
expiring on Tue Apr 17 21:15:25 CDT 2018
17-Apr-2018 11:15:25.407 FINE [https-jsse-nio-8443-exec-7]
org.apache.catalina.realm.CombinedRealm.authenticate Attempting to
authenticate user [USER@DOMAIN.ORG] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
17-Apr-2018 11:15:25.407 FINE [https-jsse-nio-8443-exec-7]
org.apache.catalina.realm.CombinedRealm.authenticate Failed to
authenticate user [USER@DOMAIN.ORG] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
17-Apr-2018 11:15:25.408 FINE [https-jsse-nio-8443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
authenticate() test
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Help with SPNEGO Pass-Through
Posted by Mark Thomas <ma...@apache.org>.
On 04/05/18 12:50, Randy Oun wrote:
> As an update, the override code worked. Thanks for the guidance.
>
> Here is the code we packaged in a jar and place in the server lib:
>
> package company.catalina.realm;
>
> import java.security.Principal;
> import org.apache.catalina.realm.GenericPrincipal;
> import org.apache.catalina.realm.NullRealm;
>
> public class NoAuthRealm extends NullRealm {
> @Override
> protected Principal getPrincipal(String username) {
> return new GenericPrincipal(username, null, null);
> }
> }
>
> It would be good for this information to be updated on the Tomcat Windows Authentication How-To docs to help others along.
>
> I also think a Tomcat patch/feature to implement a new Realm for SPNEGO/CLIENT-CERT is a good idea. +1
AuthenticatedUserRealm
Available in 9.0.9 onwards.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Help with SPNEGO Pass-Through
Posted by Randy Oun <ra...@ounism.com>.
As an update, the override code worked. Thanks for the guidance.
Here is the code we packaged in a jar and place in the server lib:
package company.catalina.realm;
import java.security.Principal;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.realm.NullRealm;
public class NoAuthRealm extends NullRealm {
@Override
protected Principal getPrincipal(String username) {
return new GenericPrincipal(username, null, null);
}
}
It would be good for this information to be updated on the Tomcat Windows Authentication How-To docs to help others along.
I also think a Tomcat patch/feature to implement a new Realm for SPNEGO/CLIENT-CERT is a good idea. +1
Thanks again for your help!
Randy
> On Apr 25, 2018, at 6:51 AM, Mark Thomas <ma...@apache.org> wrote:
>
> On 25/04/18 03:29, Randy Oun wrote:
>> Thanks Mark. I adjusted the web.xml for the application to match your
>> recommendation and I'm still getting a HTTP 401 even though I see the
>> WWW-Authenticate header in the request.
>>
>> I'm still getting the same error as described earlier:
>>
>>
>> [org.apache.catalina.realm.UserDatabaseRealm] 17-Apr-2018 11:15:25.407 FINE
>> [https-jsse-nio-8443-exec-7]
>> org.apache.catalina.realm.CombinedRealm.authenticate Failed to authenticate
>> user [USER@DOMAIN.ORG <ma...@DOMAIN.ORG>] with realm
>>
>> What other info can I provide?
>
> I think you have provided all the information needed. It is me that hasn't.
>
> You are going to need to specify a Realm for authenticated users to be
> validated against. You can either configure the JNDI Realm to
> authenticate your users against the MS directory or you could write a
> simple custom Realm (see NullRealm for an example) that does something like:
>
> @Override
> protected Principal getPrincipal(String username) {
> return new GenericalPrincipal(username, null, null);
> }
>
> For authentication mechanisms that essentially validate the user (I'm
> thinking CLIENT-CERT, SPNEGO) we might consider some sort of Realm
> implementation that returns a Principal for any provided user name
> without further validation.
>
> Mark
>
>
>>
>> On Tue, Apr 24, 2018 at 7:51 AM Mark Thomas <ma...@apache.org> wrote:
>>
>>> On 23/04/18 12:27, Randy Oun wrote:
>>>> Currently I'm configuring Tomcat 8.5 with Integrated Windows
>>>> Authentication/SPNEGO and have a question on proper roles in security
>>>> and auth contraints. I have completed the instructions in the
>>>> Integrated Windows Authentication doc
>>>> (https://tomcat.apache.org/tomcat-8.5-doc/windows-auth-howto.html) and
>>>> it appears the Kerberos handshake is working.
>>>>
>>>> The difficulty comes when applying security contraints to an
>>>> application which previously had none applied. The application uses
>>>> it's own form based authentication system and does not rely upon
>>>> Tomcat's user database mechanisms. The intent was to write custom
>>>> code in the application to use the Kerberos ticket for single sign-on.
>>>>
>>>> The main question: is it possible to bypass or pass-through the
>>>> Kerberos header without having Tomcat enforce security or auth
>>>> contraints while enabling SPNEGO? If so, what is the proper config?
>>>>
>>>> Ultimately we want to trust to the Kerberos token and avoid any
>>>> unnecessary re-authentication. I've tried advice from many articles
>>>> online with no success.
>>>
>>> I'm not completely sure what you are looking for but I think following
>>> will help:
>>>
>>> - Configure the web application to use SPNEGO authentication
>>>
>>> <login-config>
>>> <auth-method>SPNEGO</auth-method>
>>> <realm-name>SPNEGO Realm</realm-name>
>>> </login-config>
>>>
>>> - Configure the web application to require authorisation for all
>>> resources and accept any authenticated user as authorised
>>>
>>> <security-constraint>
>>> <display-name>Require user authentication only</display-name>
>>> <web-resource-collection>
>>> <web-resource-name>Everything</web-resource-name>
>>> <url-pattern>/*</url-pattern>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name>**</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>>
>>> You can then obtain the authenticated Principal via getUserPrincipal()
>>>
>>> If you cast the principal to TomcatPrincipal you can call
>>> getGssCredential()
>>>
>>> HTH,
>>>
>>> Mark
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org <ma...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org <ma...@tomcat.apache.org>
Re: Help with SPNEGO Pass-Through
Posted by Mark Thomas <ma...@apache.org>.
On 25/04/18 03:29, Randy Oun wrote:
> Thanks Mark. I adjusted the web.xml for the application to match your
> recommendation and I'm still getting a HTTP 401 even though I see the
> WWW-Authenticate header in the request.
>
> I'm still getting the same error as described earlier:
>
>
> [org.apache.catalina.realm.UserDatabaseRealm] 17-Apr-2018 11:15:25.407 FINE
> [https-jsse-nio-8443-exec-7]
> org.apache.catalina.realm.CombinedRealm.authenticate Failed to authenticate
> user [USER@DOMAIN.ORG] with realm
>
> What other info can I provide?
I think you have provided all the information needed. It is me that hasn't.
You are going to need to specify a Realm for authenticated users to be
validated against. You can either configure the JNDI Realm to
authenticate your users against the MS directory or you could write a
simple custom Realm (see NullRealm for an example) that does something like:
@Override
protected Principal getPrincipal(String username) {
return new GenericalPrincipal(username, null, null);
}
For authentication mechanisms that essentially validate the user (I'm
thinking CLIENT-CERT, SPNEGO) we might consider some sort of Realm
implementation that returns a Principal for any provided user name
without further validation.
Mark
>
> On Tue, Apr 24, 2018 at 7:51 AM Mark Thomas <ma...@apache.org> wrote:
>
>> On 23/04/18 12:27, Randy Oun wrote:
>>> Currently I'm configuring Tomcat 8.5 with Integrated Windows
>>> Authentication/SPNEGO and have a question on proper roles in security
>>> and auth contraints. I have completed the instructions in the
>>> Integrated Windows Authentication doc
>>> (https://tomcat.apache.org/tomcat-8.5-doc/windows-auth-howto.html) and
>>> it appears the Kerberos handshake is working.
>>>
>>> The difficulty comes when applying security contraints to an
>>> application which previously had none applied. The application uses
>>> it's own form based authentication system and does not rely upon
>>> Tomcat's user database mechanisms. The intent was to write custom
>>> code in the application to use the Kerberos ticket for single sign-on.
>>>
>>> The main question: is it possible to bypass or pass-through the
>>> Kerberos header without having Tomcat enforce security or auth
>>> contraints while enabling SPNEGO? If so, what is the proper config?
>>>
>>> Ultimately we want to trust to the Kerberos token and avoid any
>>> unnecessary re-authentication. I've tried advice from many articles
>>> online with no success.
>>
>> I'm not completely sure what you are looking for but I think following
>> will help:
>>
>> - Configure the web application to use SPNEGO authentication
>>
>> <login-config>
>> <auth-method>SPNEGO</auth-method>
>> <realm-name>SPNEGO Realm</realm-name>
>> </login-config>
>>
>> - Configure the web application to require authorisation for all
>> resources and accept any authenticated user as authorised
>>
>> <security-constraint>
>> <display-name>Require user authentication only</display-name>
>> <web-resource-collection>
>> <web-resource-name>Everything</web-resource-name>
>> <url-pattern>/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>**</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
>> You can then obtain the authenticated Principal via getUserPrincipal()
>>
>> If you cast the principal to TomcatPrincipal you can call
>> getGssCredential()
>>
>> HTH,
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Help with SPNEGO Pass-Through
Posted by Randy Oun <ra...@ounism.com>.
Thanks Mark. I adjusted the web.xml for the application to match your
recommendation and I'm still getting a HTTP 401 even though I see the
WWW-Authenticate header in the request.
I'm still getting the same error as described earlier:
[org.apache.catalina.realm.UserDatabaseRealm] 17-Apr-2018 11:15:25.407 FINE
[https-jsse-nio-8443-exec-7]
org.apache.catalina.realm.CombinedRealm.authenticate Failed to authenticate
user [USER@DOMAIN.ORG] with realm
What other info can I provide?
On Tue, Apr 24, 2018 at 7:51 AM Mark Thomas <ma...@apache.org> wrote:
> On 23/04/18 12:27, Randy Oun wrote:
> > Currently I'm configuring Tomcat 8.5 with Integrated Windows
> > Authentication/SPNEGO and have a question on proper roles in security
> > and auth contraints. I have completed the instructions in the
> > Integrated Windows Authentication doc
> > (https://tomcat.apache.org/tomcat-8.5-doc/windows-auth-howto.html) and
> > it appears the Kerberos handshake is working.
> >
> > The difficulty comes when applying security contraints to an
> > application which previously had none applied. The application uses
> > it's own form based authentication system and does not rely upon
> > Tomcat's user database mechanisms. The intent was to write custom
> > code in the application to use the Kerberos ticket for single sign-on.
> >
> > The main question: is it possible to bypass or pass-through the
> > Kerberos header without having Tomcat enforce security or auth
> > contraints while enabling SPNEGO? If so, what is the proper config?
> >
> > Ultimately we want to trust to the Kerberos token and avoid any
> > unnecessary re-authentication. I've tried advice from many articles
> > online with no success.
>
> I'm not completely sure what you are looking for but I think following
> will help:
>
> - Configure the web application to use SPNEGO authentication
>
> <login-config>
> <auth-method>SPNEGO</auth-method>
> <realm-name>SPNEGO Realm</realm-name>
> </login-config>
>
> - Configure the web application to require authorisation for all
> resources and accept any authenticated user as authorised
>
> <security-constraint>
> <display-name>Require user authentication only</display-name>
> <web-resource-collection>
> <web-resource-name>Everything</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>**</role-name>
> </auth-constraint>
> </security-constraint>
>
> You can then obtain the authenticated Principal via getUserPrincipal()
>
> If you cast the principal to TomcatPrincipal you can call
> getGssCredential()
>
> HTH,
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Help with SPNEGO Pass-Through
Posted by Mark Thomas <ma...@apache.org>.
On 23/04/18 12:27, Randy Oun wrote:
> Currently I'm configuring Tomcat 8.5 with Integrated Windows
> Authentication/SPNEGO and have a question on proper roles in security
> and auth contraints. I have completed the instructions in the
> Integrated Windows Authentication doc
> (https://tomcat.apache.org/tomcat-8.5-doc/windows-auth-howto.html) and
> it appears the Kerberos handshake is working.
>
> The difficulty comes when applying security contraints to an
> application which previously had none applied. The application uses
> it's own form based authentication system and does not rely upon
> Tomcat's user database mechanisms. The intent was to write custom
> code in the application to use the Kerberos ticket for single sign-on.
>
> The main question: is it possible to bypass or pass-through the
> Kerberos header without having Tomcat enforce security or auth
> contraints while enabling SPNEGO? If so, what is the proper config?
>
> Ultimately we want to trust to the Kerberos token and avoid any
> unnecessary re-authentication. I've tried advice from many articles
> online with no success.
I'm not completely sure what you are looking for but I think following
will help:
- Configure the web application to use SPNEGO authentication
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>SPNEGO Realm</realm-name>
</login-config>
- Configure the web application to require authorisation for all
resources and accept any authenticated user as authorised
<security-constraint>
<display-name>Require user authentication only</display-name>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>**</role-name>
</auth-constraint>
</security-constraint>
You can then obtain the authenticated Principal via getUserPrincipal()
If you cast the principal to TomcatPrincipal you can call getGssCredential()
HTH,
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org