JAAS Realm Authentication with Kerberos

[geofrey rainey <ge...@gmail.com>]

Hello,

I’ve been following this fairly self-explanatory document on Kerberos
authentication against an AD. If I hard-code the user@realm in the web.xml
file, authentication is successful. However obviously what one really wants
is the actual user credentials as stored in the Principals class,
javax.security.auth.kerberos.KerberosPrincipal, in the web.xml for each
Subject authenticating, but I’m a bit lost as to how to get that information
from the class into the web.xml. Any ideas would be appreciated?

   (
http://wiki.wsmoak.net/cgi-bin/wiki.pl?action=browse&diff=1&id=TomcatKerberosConfigOnly)


<auth-constraint>
          <role-name>user@realm</role-name>
 </auth-constraint>


Regards,
Geofrey.

Re: JAAS Realm Authentication with Kerberos

[geofrey rainey <ge...@gmail.com>]

okay, thank you very much.

On Wed, Jun 2, 2010 at 10:25 PM, dB. <db...@dblock.org> wrote:

> Yes. You can (and should) have a list of roles - everything the user that
> just logged in has access to / every role he has.
>
> cheers
> dB.
>
>
>
> dB. @ dblock.org
> Moscow|Geneva|Seattle|New York
>
>
> -----Original Message-----
> From: geofrey rainey [mailto:geofreyr@gmail.com]
> Sent: Tuesday, June 01, 2010 10:13 PM
> To: Tomcat Users List
> Subject: Re: JAAS Realm Authentication with Kerberos
>
> Right, so let me get this straight; Presently the KerberosLoginModule saves
> the role information (defined as user@realm) as a Principal which is then
> compared against the literal string defined in web.xml. So what you're
> suggesting is modify the KerberosLoginModule so that, essentially, the
> credentials saved in the (Role) Principal should reflect exactly what's in
> (under the Role) web.xml?
>
> thank you for your help.
>
> On Tue, Jun 1, 2010 at 11:56 PM, dB. <db...@dblock.org> wrote:
>
> > If you look at the KerberosLoginModule code, it wants to be modified to
> > retrieve roles from somewhere in your system. For example a user database
> > that says that user@realm is "manager". Then you can say
> <auth-constraint>
> > ... manager </> in web.xml rather than user@realm. Listing individual
> > users clearly isn't practical.
> >
> > Any authenticated user will be a member of "Everyone" or
> > "DOMAIN\Authenticated Users" or "DOMAIN\Users", etc.
> >
> > If you are using Active Directory on Windows, you're probably not getting
> > what you want with Kerberos alone. To use web.xml for authorization, you
> > want something like roles = AD groups (and local groups). Retrieving user
> > groups by name from AD is going to yield the wrong result in any kind of
> > real world deployment - you will have hard time getting nested groups or
> > anything from trusted domains.
> >
> > If you're running on Windows and your goal is single sign-on, you may
> want
> > to try http://waffle.codeplex.com. There're several options, including a
> > login filter and a JAAS authenticator. All use SSPI to login (will do
> > Kerberos and NTLM) and will return not just the user identity, but the
> user
> > local and domain groups.
> >
> > Hope this helps,
> > -dB.
> >
> >
> > dB. @ dblock.org
> > Moscow|Geneva|Seattle|New York
> >
> >
> > -----Original Message-----
> > From: geofrey rainey [mailto:geofreyr@gmail.com]
> > Sent: Tuesday, June 01, 2010 4:05 AM
> > To: users@tomcat.apache.org
> > Subject: JAAS Realm Authentication with Kerberos
> >
> > Hello,
> >
> > I've been following this fairly self-explanatory document on Kerberos
> > authentication against an AD. If I hard-code the user@realm in the
> web.xml
> > file, authentication is successful. However obviously what one really
> wants
> > is the actual user credentials as stored in the Principals class,
> > javax.security.auth.kerberos.KerberosPrincipal, in the web.xml for each
> > Subject authenticating, but I'm a bit lost as to how to get that
> > information
> > from the class into the web.xml. Any ideas would be appreciated?
> >
> >   (
> >
> >
> http://wiki.wsmoak.net/cgi-bin/wiki.pl?action=browse&diff=1&id=TomcatKerberosConfigOnly
> > )
> >
> >
> > <auth-constraint>
> >          <role-name>user@realm</role-name>
> >  </auth-constraint>
> >
> >
> > Regards,
> > Geofrey.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: JAAS Realm Authentication with Kerberos

[geofrey rainey <ge...@gmail.com>]

Okay another JAAS question.

My application requires authentication against an AD and another
authorization against a database. I'm wondering how I should implement this;

a. a single login module whose login method authenticates against the AD and
also authenticates (technically an authorisation step) against the db.

b. two different login modules, one against the AD and the other against the
database.

If b, I can take advantage of the JAAS configuration file which allows
multiple loginmodules. However, does this mean I need two
*roleClassNames *defined?
Or perhaps I need like two roles defined, such as "ad_role" and "db_role"
and both are then saved in the shared state map?

Thanks for any help,

Regards,
Geofrey.

On Wed, Jun 2, 2010 at 10:25 PM, dB. <db...@dblock.org> wrote:

> Yes. You can (and should) have a list of roles - everything the user that
> just logged in has access to / every role he has.
>
> cheers
> dB.
>
>
>
> dB. @ dblock.org
> Moscow|Geneva|Seattle|New York
>
>
> -----Original Message-----
> From: geofrey rainey [mailto:geofreyr@gmail.com]
> Sent: Tuesday, June 01, 2010 10:13 PM
> To: Tomcat Users List
> Subject: Re: JAAS Realm Authentication with Kerberos
>
> Right, so let me get this straight; Presently the KerberosLoginModule saves
> the role information (defined as user@realm) as a Principal which is then
> compared against the literal string defined in web.xml. So what you're
> suggesting is modify the KerberosLoginModule so that, essentially, the
> credentials saved in the (Role) Principal should reflect exactly what's in
> (under the Role) web.xml?
>
> thank you for your help.
>
> On Tue, Jun 1, 2010 at 11:56 PM, dB. <db...@dblock.org> wrote:
>
> > If you look at the KerberosLoginModule code, it wants to be modified to
> > retrieve roles from somewhere in your system. For example a user database
> > that says that user@realm is "manager". Then you can say
> <auth-constraint>
> > ... manager </> in web.xml rather than user@realm. Listing individual
> > users clearly isn't practical.
> >
> > Any authenticated user will be a member of "Everyone" or
> > "DOMAIN\Authenticated Users" or "DOMAIN\Users", etc.
> >
> > If you are using Active Directory on Windows, you're probably not getting
> > what you want with Kerberos alone. To use web.xml for authorization, you
> > want something like roles = AD groups (and local groups). Retrieving user
> > groups by name from AD is going to yield the wrong result in any kind of
> > real world deployment - you will have hard time getting nested groups or
> > anything from trusted domains.
> >
> > If you're running on Windows and your goal is single sign-on, you may
> want
> > to try http://waffle.codeplex.com. There're several options, including a
> > login filter and a JAAS authenticator. All use SSPI to login (will do
> > Kerberos and NTLM) and will return not just the user identity, but the
> user
> > local and domain groups.
> >
> > Hope this helps,
> > -dB.
> >
> >
> > dB. @ dblock.org
> > Moscow|Geneva|Seattle|New York
> >
> >
> > -----Original Message-----
> > From: geofrey rainey [mailto:geofreyr@gmail.com]
> > Sent: Tuesday, June 01, 2010 4:05 AM
> > To: users@tomcat.apache.org
> > Subject: JAAS Realm Authentication with Kerberos
> >
> > Hello,
> >
> > I've been following this fairly self-explanatory document on Kerberos
> > authentication against an AD. If I hard-code the user@realm in the
> web.xml
> > file, authentication is successful. However obviously what one really
> wants
> > is the actual user credentials as stored in the Principals class,
> > javax.security.auth.kerberos.KerberosPrincipal, in the web.xml for each
> > Subject authenticating, but I'm a bit lost as to how to get that
> > information
> > from the class into the web.xml. Any ideas would be appreciated?
> >
> >   (
> >
> >
> http://wiki.wsmoak.net/cgi-bin/wiki.pl?action=browse&diff=1&id=TomcatKerberosConfigOnly
> > )
> >
> >
> > <auth-constraint>
> >          <role-name>user@realm</role-name>
> >  </auth-constraint>
> >
> >
> > Regards,
> > Geofrey.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

RE: JAAS Realm Authentication with Kerberos

["dB." <db...@dblock.org>]

Yes. You can (and should) have a list of roles - everything the user that just logged in has access to / every role he has.

cheers
dB.



dB. @ dblock.org 
Moscow|Geneva|Seattle|New York


-----Original Message-----
From: geofrey rainey [mailto:geofreyr@gmail.com] 
Sent: Tuesday, June 01, 2010 10:13 PM
To: Tomcat Users List
Subject: Re: JAAS Realm Authentication with Kerberos

Right, so let me get this straight; Presently the KerberosLoginModule saves
the role information (defined as user@realm) as a Principal which is then
compared against the literal string defined in web.xml. So what you're
suggesting is modify the KerberosLoginModule so that, essentially, the
credentials saved in the (Role) Principal should reflect exactly what's in
(under the Role) web.xml?

thank you for your help.

On Tue, Jun 1, 2010 at 11:56 PM, dB. <db...@dblock.org> wrote:

> If you look at the KerberosLoginModule code, it wants to be modified to
> retrieve roles from somewhere in your system. For example a user database
> that says that user@realm is "manager". Then you can say <auth-constraint>
> ... manager </> in web.xml rather than user@realm. Listing individual
> users clearly isn't practical.
>
> Any authenticated user will be a member of "Everyone" or
> "DOMAIN\Authenticated Users" or "DOMAIN\Users", etc.
>
> If you are using Active Directory on Windows, you're probably not getting
> what you want with Kerberos alone. To use web.xml for authorization, you
> want something like roles = AD groups (and local groups). Retrieving user
> groups by name from AD is going to yield the wrong result in any kind of
> real world deployment - you will have hard time getting nested groups or
> anything from trusted domains.
>
> If you're running on Windows and your goal is single sign-on, you may want
> to try http://waffle.codeplex.com. There're several options, including a
> login filter and a JAAS authenticator. All use SSPI to login (will do
> Kerberos and NTLM) and will return not just the user identity, but the user
> local and domain groups.
>
> Hope this helps,
> -dB.
>
>
> dB. @ dblock.org
> Moscow|Geneva|Seattle|New York
>
>
> -----Original Message-----
> From: geofrey rainey [mailto:geofreyr@gmail.com]
> Sent: Tuesday, June 01, 2010 4:05 AM
> To: users@tomcat.apache.org
> Subject: JAAS Realm Authentication with Kerberos
>
> Hello,
>
> I've been following this fairly self-explanatory document on Kerberos
> authentication against an AD. If I hard-code the user@realm in the web.xml
> file, authentication is successful. However obviously what one really wants
> is the actual user credentials as stored in the Principals class,
> javax.security.auth.kerberos.KerberosPrincipal, in the web.xml for each
> Subject authenticating, but I'm a bit lost as to how to get that
> information
> from the class into the web.xml. Any ideas would be appreciated?
>
>   (
>
> http://wiki.wsmoak.net/cgi-bin/wiki.pl?action=browse&diff=1&id=TomcatKerberosConfigOnly
> )
>
>
> <auth-constraint>
>          <role-name>user@realm</role-name>
>  </auth-constraint>
>
>
> Regards,
> Geofrey.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: JAAS Realm Authentication with Kerberos

[geofrey rainey <ge...@gmail.com>]

Right, so let me get this straight; Presently the KerberosLoginModule saves
the role information (defined as user@realm) as a Principal which is then
compared against the literal string defined in web.xml. So what you're
suggesting is modify the KerberosLoginModule so that, essentially, the
credentials saved in the (Role) Principal should reflect exactly what's in
(under the Role) web.xml?

thank you for your help.

On Tue, Jun 1, 2010 at 11:56 PM, dB. <db...@dblock.org> wrote:

> If you look at the KerberosLoginModule code, it wants to be modified to
> retrieve roles from somewhere in your system. For example a user database
> that says that user@realm is "manager". Then you can say <auth-constraint>
> ... manager </> in web.xml rather than user@realm. Listing individual
> users clearly isn't practical.
>
> Any authenticated user will be a member of "Everyone" or
> "DOMAIN\Authenticated Users" or "DOMAIN\Users", etc.
>
> If you are using Active Directory on Windows, you're probably not getting
> what you want with Kerberos alone. To use web.xml for authorization, you
> want something like roles = AD groups (and local groups). Retrieving user
> groups by name from AD is going to yield the wrong result in any kind of
> real world deployment - you will have hard time getting nested groups or
> anything from trusted domains.
>
> If you're running on Windows and your goal is single sign-on, you may want
> to try http://waffle.codeplex.com. There're several options, including a
> login filter and a JAAS authenticator. All use SSPI to login (will do
> Kerberos and NTLM) and will return not just the user identity, but the user
> local and domain groups.
>
> Hope this helps,
> -dB.
>
>
> dB. @ dblock.org
> Moscow|Geneva|Seattle|New York
>
>
> -----Original Message-----
> From: geofrey rainey [mailto:geofreyr@gmail.com]
> Sent: Tuesday, June 01, 2010 4:05 AM
> To: users@tomcat.apache.org
> Subject: JAAS Realm Authentication with Kerberos
>
> Hello,
>
> I've been following this fairly self-explanatory document on Kerberos
> authentication against an AD. If I hard-code the user@realm in the web.xml
> file, authentication is successful. However obviously what one really wants
> is the actual user credentials as stored in the Principals class,
> javax.security.auth.kerberos.KerberosPrincipal, in the web.xml for each
> Subject authenticating, but I'm a bit lost as to how to get that
> information
> from the class into the web.xml. Any ideas would be appreciated?
>
>   (
>
> http://wiki.wsmoak.net/cgi-bin/wiki.pl?action=browse&diff=1&id=TomcatKerberosConfigOnly
> )
>
>
> <auth-constraint>
>          <role-name>user@realm</role-name>
>  </auth-constraint>
>
>
> Regards,
> Geofrey.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

RE: JAAS Realm Authentication with Kerberos

["dB." <db...@dblock.org>]

If you look at the KerberosLoginModule code, it wants to be modified to retrieve roles from somewhere in your system. For example a user database that says that user@realm is "manager". Then you can say <auth-constraint> ... manager </> in web.xml rather than user@realm. Listing individual users clearly isn't practical.

Any authenticated user will be a member of "Everyone" or "DOMAIN\Authenticated Users" or "DOMAIN\Users", etc.

If you are using Active Directory on Windows, you're probably not getting what you want with Kerberos alone. To use web.xml for authorization, you want something like roles = AD groups (and local groups). Retrieving user groups by name from AD is going to yield the wrong result in any kind of real world deployment - you will have hard time getting nested groups or anything from trusted domains.

If you're running on Windows and your goal is single sign-on, you may want to try http://waffle.codeplex.com. There're several options, including a login filter and a JAAS authenticator. All use SSPI to login (will do Kerberos and NTLM) and will return not just the user identity, but the user local and domain groups.

Hope this helps,
-dB.


dB. @ dblock.org 
Moscow|Geneva|Seattle|New York


-----Original Message-----
From: geofrey rainey [mailto:geofreyr@gmail.com] 
Sent: Tuesday, June 01, 2010 4:05 AM
To: users@tomcat.apache.org
Subject: JAAS Realm Authentication with Kerberos

Hello,

I've been following this fairly self-explanatory document on Kerberos
authentication against an AD. If I hard-code the user@realm in the web.xml
file, authentication is successful. However obviously what one really wants
is the actual user credentials as stored in the Principals class,
javax.security.auth.kerberos.KerberosPrincipal, in the web.xml for each
Subject authenticating, but I'm a bit lost as to how to get that information
from the class into the web.xml. Any ideas would be appreciated?

   (
http://wiki.wsmoak.net/cgi-bin/wiki.pl?action=browse&diff=1&id=TomcatKerberosConfigOnly)


<auth-constraint>
          <role-name>user@realm</role-name>
 </auth-constraint>


Regards,
Geofrey.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org