1 2 Previous Next 25 Replies Latest reply on Jun 3, 2008 3:03 AM by eric.lvyan

Negotiate with Kerberos

cdelashmutt Aug 9, 2006 2:50 PM

I'm working (very slowly :D ) on a plug in for JBoss AS to allow it to use Silent Authentication against a Kerberos domain. Mainly, I'm doing this to allow browsers supporting SPNEGO to silently authenticate with a web site. Prevents users from having to remember user ids and passwords for internal resources, since it can just pass through their existing Kerberos credentials.

I just wanted to let anyone interested know that there was slight updated made to the wiki detailing some configuration differences between using this plug in with a JBoss AS server installed via the ZIP file, versus the JBoss AS server installed via the JBoss Installer jar.

You can view the updated instructions (basically just step 3) at http://wiki.jboss.org/wiki/Wiki.jsp?page=NegotiateKerberos

1. Re: Negotiate with Kerberos

cougar Aug 21, 2006 2:14 PM (in response to cdelashmutt)

Hi,

i try to use your LoginModule but got some trouble with the
org.jboss.web.tomcat.security.AdvancedWebCallbackHandler
within jboss-service.xml

JBoss 4.0.4 start runs into an exception.
As per description i put all you *jar's into my server lib directory.

I already try to put these into a seperate security-service.xml in my deploy directory but without any success...

Any suggestions?

20:06:13,671 INFO [ServiceConfigurator] Problem configuring service jboss.security:service=JaasSecurityManager
org.jboss.deployment.DeploymentException: Exception setting attribute javax.management.Attribute@6a435f on mbean jboss.security:service=JaasSecurityManager; - nested throwable: (java.lang.ClassNotFoundException: Unexpected error during load of: org.jboss.web.tomcat.security.AdvancedWebCallbackHandler, msg=org/jboss/web/tomcat/security/WebCallbackHandler)
at org.jboss.system.ServiceConfigurator.setAttribute(ServiceConfigurator.java:698)
at org.jboss.system.ServiceConfigurator.configure(ServiceConfigurator.java:332)
at org.jboss.system.ServiceConfigurator.internalInstall(ServiceConfigurator.java:460)
at org.jboss.system.ServiceConfigurator.install(ServiceConfigurator.java:171)
at org.jboss.system.ServiceController.install(ServiceController.java:226)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:260)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:190)
at $Proxy4.install(Unknown Source)
at org.jboss.deployment.SARDeployer.create(SARDeployer.java:249)
at org.jboss.deployment.MainDeployer.create(MainDeployer.java:953)
at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:807)
at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:771)
at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:755)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:133)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:142)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:260)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:190)
at $Proxy5.deploy(Unknown Source)
at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:477)
at org.jboss.system.server.ServerImpl.start(ServerImpl.java:357)
at org.jboss.Main.boot(Main.java:200)
at org.jboss.Main$1.run(Main.java:464)
at java.lang.Thread.run(Thread.java:595)
Caused by: java.lang.ClassNotFoundException: Unexpected error during load of: org.jboss.web.tomcat.security.AdvancedWebCallbackHandler, msg=org/jboss/web/tomcat/security/WebCallbackHandler
at org.jboss.mx.loading.RepositoryClassLoader.loadClassImpl(RepositoryClassLoader.java:527)
Actions
2. Re: Negotiate with Kerberos

starksm64 Aug 22, 2006 4:32 PM (in response to cdelashmutt)

The WebCallbackHandler is not the way to get the http request. See:
http://wiki.jboss.org/wiki/Wiki.jsp?page=AccessingServletRequestForAuthentication
Actions
3. Re: Negotiate with Kerberos

cdelashmutt Aug 22, 2006 4:37 PM (in response to cdelashmutt)

Thanks, Scott! That eliminates the need for replacing the specialized callback handler altogether. I'll try to get that worked in asap.
Actions
4. Re: Negotiate with Kerberos

anil.saldhana Aug 22, 2006 4:44 PM (in response to cdelashmutt)

Does anyone read the Security FAQ?
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ

Q13 talk of getting the servlet request.
Actions
5. Re: Negotiate with Kerberos

cougar Aug 22, 2006 5:01 PM (in response to cdelashmutt)

"scott.stark@jboss.org" wrote:
The WebCallbackHandler is not the way to get the http request. See:
http://wiki.jboss.org/wiki/Wiki.jsp?page=AccessingServletRequestForAuthentication

Sorry, i am very new at jaas / jboss but way i should access the authentication within the servlet?

All i need is the to know that the logged in system user is a valid user.

What about the GSS-API?
Actions
6. Re: Negotiate with Kerberos

cdelashmutt Aug 24, 2006 4:07 PM (in response to cdelashmutt)

At second glance, I think I realized why I didn't use Q13 in http://wiki.jboss.org/wiki/Wiki.jsp?page=AccessingServletRequestForAuthentication.

The issue is that SPNEGO is a multi-pass authentication. It is my understanding that it is the job of the callback handler to retrieve user credentials. That is why I put the phase 1 part of authentication into the callback handler. In this phase, I needed access not only to the request, but also the response so that the callback handler could send a proper response the to the browser to have it perform the next phase of the authentication. After the browser handles it's phase, I then can handle the final phase in the login module

Perhaps I'm interpreting the role of the callback handler improperly or too strictly?
Actions

7. Re: Negotiate with Kerberos

anil.saldhana Aug 24, 2006 4:28 PM (in response to cdelashmutt)

Does it mean you want SASL kind of infrastructure wherein the server issues challenges that the client will try to satisfy?

|sasl client| -----Here I am -------------> |Sasl Server|

|sasl client| <-----Challenge 1 ------------- |Sasl Server|

|sasl client| -----Challenge 1 resp-------------> |Sasl Server|


|sasl client| <-----Challenge 2------------- |Sasl Server|


|sasl client| -----Challenge 2 resp-------------> |Sasl Server|


|sasl client| <-----Welcome to Neverland------------- |Sasl Server|

8. Re: Negotiate with Kerberos

cdelashmutt Aug 24, 2006 5:00 PM (in response to cdelashmutt)

Effectively, that is what SPNEGO does. So does NTLM. Neither protocol are as simple as just getting some credentials, and then validating them.

The server sends an authorization header. The client responds with a token. That token is validated, wrapped, and sent back to the client. The client returns a final token which can be used to get identifying user attributes.

That's why I felt that I needed to take the seemingly strange approach that I took. I'm always interested in hearing about ways to improve what I've done, so please don't stop using a critical eye on this stuff.

Thanks!
Actions
9. Re: Negotiate with Kerberos

starksm64 Aug 25, 2006 2:16 AM (in response to cdelashmutt)

The authentication layer does need to support a challenge response handshake of messages. As Anil will tell you I want to be able to use SRP in the web tier and it also requires a handshake. This is not really much different than basic auth sending a 401 challenge to force an authorization header.
Actions
10. Re: Negotiate with Kerberos

anil.saldhana Aug 25, 2006 10:39 AM (in response to cdelashmutt)

JSR-196 has support for challenge-response handshake. There is a public draft feedback phase going on now.
Actions
11. Re: Negotiate with Kerberos

johnsoncfchong Sep 28, 2006 3:14 AM (in response to cdelashmutt)

I am a beginner in using JBOSS AS. I have a similar single sign-on requirement with the following configuration.

J2EE: Apache + mod_jk (Windows 2003) + JBOSS AS 4.0.4 (Windows 2003) without joining domain

Active Directory for authentication

After the users login to the domain, our web application can authenticate them silently. Is the following solution the right way to go?

http://wiki.jboss.org/wiki/Wiki.jsp?page=NegotiateKerberos

Johnson
Actions
12. Re: Negotiate with Kerberos

cdelashmutt Sep 28, 2006 9:56 AM (in response to cdelashmutt)

The silent authentication part is what that plug in is addressing. There are some changes that need to be made to the code as it currently is relying on some classes in the tomcat jars, and I also need to write up some instructions for including other login modules for getting groups.

If you didn't need silent authentication, then you could use the straight LDAP login modules to authenticate with Active Directory.
Actions
13. Re: Negotiate with Kerberos

ramesh4u Oct 20, 2006 4:27 AM (in response to cdelashmutt)

Please help me........

I have a windows network (samba domain controller which intern uses the flat file system for datastore), I wanted my j2ee web application to authenticate using NegotiateKerberos. so i followed http://wiki.jboss.org/wiki/Wiki.jsp?page=NegotiateKerberos link to setup your test application but it is not working. when i request for the index.html, i get [org.jboss.web.tomcat.security.HttpServletRequestResponseValve] Realm returned: null in the jboss server.log....

Following configurations i have done

Windows network domain name is LK
Samba domain controler ip 192.168.1.7

/conf/login-config.xml


<application-policy name = "SPNEGO">

<login-module code="org.jboss.security.auth.NegotiateLoginModule"
flag = "required">
<module-option name="loadBalance">false</module-option>
<module-option name="domainController">192.168.1.7</module-option>
<module-option name="defaultDomain">LK</module-option>
</login-module>

</application-policy>

/WEB-INF/web.xml

<login-config>
<auth-method>Negotiate</auth-method>
<realm-name>SPNEGO</realm-name>
</login-config>
<security-role>
<role-name>LK</role-name>
</security-role>

WEB-INF/jboss-web.xml

<jboss-web>
<security-domain>java:/jaas/SPNEGO</security-domain>
</jboss-web>

Thanks!
Actions
14. Re: Negotiate with Kerberos

ramesh4u Nov 2, 2006 6:25 AM (in response to cdelashmutt)

I have a windows network (samba domain controller which intern uses the flat file system for datastore), I wanted my j2ee web application to authenticate using NegotiateKerberos. so i followed http://wiki.jboss.org/wiki/Wiki.jsp?page=NegotiateKerberos link to setup the test application. But i suppose
NTLM Handshake is not happening, So i think there is some problem in my configuration settings. Basically handle method inside "AdvancedWebCallbackHandler.java" is not getting called.
When i start Jboss i see following logs which suggest CallbackHandler is configured properly but it is not getting called.

DEBUG [ServiceConfigurator] CallbackHandlerClassName set to org.jboss.web.tomcat.security.AdvancedWebCallbackHandler in jboss.security:service=JaasSecurityManager

Thanks
Ramesh S
Can someone please suggest what may be the problem? I am pasting all the configuration settings below.

My configuration setup as follows:

Windows network domain name is LK
Samba domain controller ip 192.168.1.7

/conf/jboss-service.xml



<mbean code="org.jboss.security.plugins.JaasSecurityManagerService" name="jboss.security:service=JaasSecurityManager"
<attribute name="CallbackHandlerClassName" org.jboss.web.tomcat.security.AdvancedWebCallbackHandler
<attribute name="SecurityManagerClassName" org.jboss.security.plugins.JaasSecurityManager
<attribute name="DefaultUnauthenticatedPrincipal" anonymous

<attribute name="DefaultCacheTimeout" 1800

<attribute name="DefaultCacheResolution" 60
/mbean>

/conf/login-config.xml


<application-policy name = "SPNEGO">

<login-module code="org.jboss.security.auth.NegotiateLoginModule" flag = "required">
<module-option name="loadBalance">false</module-option>
<module-option name="domainController">192.168.1.7</module-option>
<module-option name="defaultDomain">LK</module-option>
</login-module>

</application-policy>

/WEB-INF/web.xml

<login-config>
<auth-method>Negotiate</auth-method>
<realm-name>SPNEGO</realm-name>
</login-config>
<security-role>
<role-name>LK</role-name>
</security-role>

WEB-INF/jboss-web.xml

<jboss-web>
<security-domain>java:/jaas/SPNEGO</security-domain>
</jboss-web>

WEB-INF/context.xml

<Context
<Valve className="org.jboss.web.tomcat.security.HttpServletRequestResponseValve"
/Context>
Actions

1 2 Previous Next

Go to original post