You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@geronimo.apache.org by "Williams, Alex" <al...@Linklaters.com> on 2006/03/30 16:32:00 UTC
Kereberos Security Realm
Hi,
Has anyone successfully implemented a Kerberos Security Realm? I'm using
Geronimo 1.0, JDK 1.4.2 on Windows XP and would like to achieve single
sign on against the Windows KDC.
I have managed to get a standalone java example to work, but I'm a bit
lost when it comes to configuring a Security Realm in Geronimo. Do I
have to do any configuration outside of Geronimo - e.g. properties files
within the JVM installation?
Any tips or samples would be very gratefully received.
See below for what I've tried so far.
Thanks,
Alex
I've created a Security Realm in the Geronimo Console with the following
plan:
<configuration configId="SecurityRealm-my-kerberos-realm"
xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0">
<gbean name="my-kerberos-realm"
class="org.apache.geronimo.security.realm.GenericSecurityRealm">
<attribute name="realmName">my-kerberos-realm</attribute>
<reference name="ServerInfo">
<gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2e
e-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbe
an-name>
</reference>
<reference name="LoginService">
<gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2e
e-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=Ja
asLoginService</gbean-name>
</reference>
<xml-reference name="LoginModuleConfiguration">
<log:login-config
xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.0">
<log:login-module control-flag="REQUIRED"
server-side="true" wrap-principals="false">
<log:login-domain-name>my-kerberos-realm</log:login-domain-name>
<log:login-module-class>com.sun.security.auth.module.Krb5LoginModule</lo
g:login-module-class>
<log:option name="debug">true</log:option>
<log:option name="doNotPrompt">true</log:option>
<log:option name="useTicketCache">true</log:option>
</log:login-module>
</log:login-config>
</xml-reference>
</gbean>
</configuration>
I added the following to the web.xml for my app:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected</web-resource-name>
<url-pattern>/protected/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>This is not used for FORM login</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
And I added the following to geronimo-web.xml:
<security-realm-name>my-kerberos-realm</security-realm-name>
<security>
<default-principal>
<principal name="anonymous"
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipa
l"
/>
</default-principal>
<role-mappings>
<role role-name="admin">
<principal name="administrators"
designated-run-as="true"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincip
al"
/>
<principal name="awilliams"
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipa
l"
/>
</role>
</role-mappings>
</security>
I have created /protected/index.htm, but I have NOT implemented
/login.jsp or /loginerror.jsp. I am logged into the windows domain as
"awilliams", so I expect SSO to work. It appears not to, since I get a
404 error saying that
/login.jsp does not exist.
I'd obviously like to get the SSO working through the Windows KDC. I
presume though that I need the login screens to fallback on. Down the
road, do I need an extra login module to authenticate against
ActiveDirectory if the SSO fails?
_______________________________________________
This message is confidential. It may also be privileged or otherwise protected by work product immunity or other legal rules. If you have received it by mistake please let us know by reply and then delete it from your system; you should not copy it or disclose its contents to anyone. All messages sent to and from Linklaters may be monitored to ensure compliance with internal policies and to protect our business. Emails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. Anyone who communicates with us by email is taken to accept these risks.
The contents of any email addressed to our clients are subject to our usual terms of business; anything which does not relate to the official business of the firm is neither given nor endorsed by it.
The registered address of the UK partnership of Linklaters is One Silk Street, London, EC2Y 8HQ. Please refer to http://www.linklaters.com/regulation for important information on the regulatory position of the firm.
Re: Kereberos Security Realm
Posted by Aaron Mulder <am...@alumni.princeton.edu>.
But I should also add that for a web app, if you run Geronimo through
Apache HTTP or IIS then you can use SPNEGO to achieve single sign-on
without configuring a Geronimo security realm. I also lack specifics
for how to configure that. :)
Thanks,
Aaron
On 3/30/06, Williams, Alex <al...@linklaters.com> wrote:
> Hi,
>
> Has anyone successfully implemented a Kerberos Security Realm? I'm using
> Geronimo 1.0, JDK 1.4.2 on Windows XP and would like to achieve single
> sign on against the Windows KDC.
>
> I have managed to get a standalone java example to work, but I'm a bit
> lost when it comes to configuring a Security Realm in Geronimo. Do I
> have to do any configuration outside of Geronimo - e.g. properties files
> within the JVM installation?
>
> Any tips or samples would be very gratefully received.
>
> See below for what I've tried so far.
>
> Thanks,
> Alex
>
>
>
> I've created a Security Realm in the Geronimo Console with the following
> plan:
>
> <configuration configId="SecurityRealm-my-kerberos-realm"
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0">
> <gbean name="my-kerberos-realm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> <attribute name="realmName">my-kerberos-realm</attribute>
> <reference name="ServerInfo">
>
> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2e
> e-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbe
> an-name>
> </reference>
> <reference name="LoginService">
>
> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2e
> e-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=Ja
> asLoginService</gbean-name>
> </reference>
> <xml-reference name="LoginModuleConfiguration">
> <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.0">
> <log:login-module control-flag="REQUIRED"
> server-side="true" wrap-principals="false">
>
> <log:login-domain-name>my-kerberos-realm</log:login-domain-name>
>
> <log:login-module-class>com.sun.security.auth.module.Krb5LoginModule</lo
> g:login-module-class>
> <log:option name="debug">true</log:option>
> <log:option name="doNotPrompt">true</log:option>
> <log:option name="useTicketCache">true</log:option>
> </log:login-module>
> </log:login-config>
> </xml-reference>
> </gbean>
> </configuration>
>
>
> I added the following to the web.xml for my app:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protected</web-resource-name>
> <url-pattern>/protected/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>This is not used for FORM login</realm-name>
> <form-login-config>
> <form-login-page>/login.jsp</form-login-page>
> <form-error-page>/loginerror.jsp</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <role-name>admin</role-name>
> </security-role>
>
>
> And I added the following to geronimo-web.xml:
>
> <security-realm-name>my-kerberos-realm</security-realm-name>
> <security>
> <default-principal>
> <principal name="anonymous"
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipa
> l"
> />
> </default-principal>
> <role-mappings>
> <role role-name="admin">
> <principal name="administrators"
> designated-run-as="true"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincip
> al"
> />
> <principal name="awilliams"
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipa
> l"
> />
> </role>
> </role-mappings>
> </security>
>
>
> I have created /protected/index.htm, but I have NOT implemented
> /login.jsp or /loginerror.jsp. I am logged into the windows domain as
> "awilliams", so I expect SSO to work. It appears not to, since I get a
> 404 error saying that
> /login.jsp does not exist.
>
> I'd obviously like to get the SSO working through the Windows KDC. I
> presume though that I need the login screens to fallback on. Down the
> road, do I need an extra login module to authenticate against
> ActiveDirectory if the SSO fails?
>
> _______________________________________________
> This message is confidential. It may also be privileged or otherwise protected by work product immunity or other legal rules. If you have received it by mistake please let us know by reply and then delete it from your system; you should not copy it or disclose its contents to anyone. All messages sent to and from Linklaters may be monitored to ensure compliance with internal policies and to protect our business. Emails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. Anyone who communicates with us by email is taken to accept these risks.
>
> The contents of any email addressed to our clients are subject to our usual terms of business; anything which does not relate to the official business of the firm is neither given nor endorsed by it.
>
> The registered address of the UK partnership of Linklaters is One Silk Street, London, EC2Y 8HQ. Please refer to http://www.linklaters.com/regulation for important information on the regulatory position of the firm.
>
>
Re: Kereberos Security Realm
Posted by Aaron Mulder <am...@alumni.princeton.edu>.
I think we need to get Alan to discuss this. While I'm fairly
familiar with the security plumbing, I'm not too sure how the Kerberos
stuff works. I can tell you that the server-side flag should be set
to true, since the login module has to run on the Windows client PC
not on the app server. Also, I suspect the principal classes should
be different -- I would expect the Sun login module to produce
principal classes other than org.apache.geronimo.* (but I'm not sure
what they are).
Thanks,
Aaron
On 3/30/06, Williams, Alex <al...@linklaters.com> wrote:
> Hi,
>
> Has anyone successfully implemented a Kerberos Security Realm? I'm using
> Geronimo 1.0, JDK 1.4.2 on Windows XP and would like to achieve single
> sign on against the Windows KDC.
>
> I have managed to get a standalone java example to work, but I'm a bit
> lost when it comes to configuring a Security Realm in Geronimo. Do I
> have to do any configuration outside of Geronimo - e.g. properties files
> within the JVM installation?
>
> Any tips or samples would be very gratefully received.
>
> See below for what I've tried so far.
>
> Thanks,
> Alex
>
>
>
> I've created a Security Realm in the Geronimo Console with the following
> plan:
>
> <configuration configId="SecurityRealm-my-kerberos-realm"
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0">
> <gbean name="my-kerberos-realm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> <attribute name="realmName">my-kerberos-realm</attribute>
> <reference name="ServerInfo">
>
> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2e
> e-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbe
> an-name>
> </reference>
> <reference name="LoginService">
>
> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2e
> e-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=Ja
> asLoginService</gbean-name>
> </reference>
> <xml-reference name="LoginModuleConfiguration">
> <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.0">
> <log:login-module control-flag="REQUIRED"
> server-side="true" wrap-principals="false">
>
> <log:login-domain-name>my-kerberos-realm</log:login-domain-name>
>
> <log:login-module-class>com.sun.security.auth.module.Krb5LoginModule</lo
> g:login-module-class>
> <log:option name="debug">true</log:option>
> <log:option name="doNotPrompt">true</log:option>
> <log:option name="useTicketCache">true</log:option>
> </log:login-module>
> </log:login-config>
> </xml-reference>
> </gbean>
> </configuration>
>
>
> I added the following to the web.xml for my app:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protected</web-resource-name>
> <url-pattern>/protected/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>This is not used for FORM login</realm-name>
> <form-login-config>
> <form-login-page>/login.jsp</form-login-page>
> <form-error-page>/loginerror.jsp</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <role-name>admin</role-name>
> </security-role>
>
>
> And I added the following to geronimo-web.xml:
>
> <security-realm-name>my-kerberos-realm</security-realm-name>
> <security>
> <default-principal>
> <principal name="anonymous"
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipa
> l"
> />
> </default-principal>
> <role-mappings>
> <role role-name="admin">
> <principal name="administrators"
> designated-run-as="true"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincip
> al"
> />
> <principal name="awilliams"
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipa
> l"
> />
> </role>
> </role-mappings>
> </security>
>
>
> I have created /protected/index.htm, but I have NOT implemented
> /login.jsp or /loginerror.jsp. I am logged into the windows domain as
> "awilliams", so I expect SSO to work. It appears not to, since I get a
> 404 error saying that
> /login.jsp does not exist.
>
> I'd obviously like to get the SSO working through the Windows KDC. I
> presume though that I need the login screens to fallback on. Down the
> road, do I need an extra login module to authenticate against
> ActiveDirectory if the SSO fails?
>
> _______________________________________________
> This message is confidential. It may also be privileged or otherwise protected by work product immunity or other legal rules. If you have received it by mistake please let us know by reply and then delete it from your system; you should not copy it or disclose its contents to anyone. All messages sent to and from Linklaters may be monitored to ensure compliance with internal policies and to protect our business. Emails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. Anyone who communicates with us by email is taken to accept these risks.
>
> The contents of any email addressed to our clients are subject to our usual terms of business; anything which does not relate to the official business of the firm is neither given nor endorsed by it.
>
> The registered address of the UK partnership of Linklaters is One Silk Street, London, EC2Y 8HQ. Please refer to http://www.linklaters.com/regulation for important information on the regulatory position of the firm.
>
>