-
1. Re: Negotiate with Kerberos
cougar Aug 21, 2006 2:14 PM (in response to cdelashmutt)Hi,
i try to use your LoginModule but got some trouble with the
org.jboss.web.tomcat.security.AdvancedWebCallbackHandler
within jboss-service.xml
JBoss 4.0.4 start runs into an exception.
As per description i put all you *jar's into my server lib directory.
I already try to put these into a seperate security-service.xml in my deploy directory but without any success...
Any suggestions?
20:06:13,671 INFO [ServiceConfigurator] Problem configuring service jboss.security:service=JaasSecurityManager
org.jboss.deployment.DeploymentException: Exception setting attribute javax.management.Attribute@6a435f on mbean jboss.security:service=JaasSecurityManager; - nested throwable: (java.lang.ClassNotFoundException: Unexpected error during load of: org.jboss.web.tomcat.security.AdvancedWebCallbackHandler, msg=org/jboss/web/tomcat/security/WebCallbackHandler)
at org.jboss.system.ServiceConfigurator.setAttribute(ServiceConfigurator.java:698)
at org.jboss.system.ServiceConfigurator.configure(ServiceConfigurator.java:332)
at org.jboss.system.ServiceConfigurator.internalInstall(ServiceConfigurator.java:460)
at org.jboss.system.ServiceConfigurator.install(ServiceConfigurator.java:171)
at org.jboss.system.ServiceController.install(ServiceController.java:226)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:260)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:190)
at $Proxy4.install(Unknown Source)
at org.jboss.deployment.SARDeployer.create(SARDeployer.java:249)
at org.jboss.deployment.MainDeployer.create(MainDeployer.java:953)
at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:807)
at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:771)
at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:755)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:133)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:142)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:260)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:190)
at $Proxy5.deploy(Unknown Source)
at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:477)
at org.jboss.system.server.ServerImpl.start(ServerImpl.java:357)
at org.jboss.Main.boot(Main.java:200)
at org.jboss.Main$1.run(Main.java:464)
at java.lang.Thread.run(Thread.java:595)
Caused by: java.lang.ClassNotFoundException: Unexpected error during load of: org.jboss.web.tomcat.security.AdvancedWebCallbackHandler, msg=org/jboss/web/tomcat/security/WebCallbackHandler
at org.jboss.mx.loading.RepositoryClassLoader.loadClassImpl(RepositoryClassLoader.java:527) -
2. Re: Negotiate with Kerberos
starksm64 Aug 22, 2006 4:32 PM (in response to cdelashmutt)The WebCallbackHandler is not the way to get the http request. See:
http://wiki.jboss.org/wiki/Wiki.jsp?page=AccessingServletRequestForAuthentication -
3. Re: Negotiate with Kerberos
cdelashmutt Aug 22, 2006 4:37 PM (in response to cdelashmutt)Thanks, Scott! That eliminates the need for replacing the specialized callback handler altogether. I'll try to get that worked in asap.
-
4. Re: Negotiate with Kerberos
anil.saldhana Aug 22, 2006 4:44 PM (in response to cdelashmutt)Does anyone read the Security FAQ?
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ
Q13 talk of getting the servlet request. -
5. Re: Negotiate with Kerberos
cougar Aug 22, 2006 5:01 PM (in response to cdelashmutt)"scott.stark@jboss.org" wrote:
The WebCallbackHandler is not the way to get the http request. See:
http://wiki.jboss.org/wiki/Wiki.jsp?page=AccessingServletRequestForAuthentication
Sorry, i am very new at jaas / jboss but way i should access the authentication within the servlet?
All i need is the to know that the logged in system user is a valid user.
What about the GSS-API? -
6. Re: Negotiate with Kerberos
cdelashmutt Aug 24, 2006 4:07 PM (in response to cdelashmutt)At second glance, I think I realized why I didn't use Q13 in http://wiki.jboss.org/wiki/Wiki.jsp?page=AccessingServletRequestForAuthentication.
The issue is that SPNEGO is a multi-pass authentication. It is my understanding that it is the job of the callback handler to retrieve user credentials. That is why I put the phase 1 part of authentication into the callback handler. In this phase, I needed access not only to the request, but also the response so that the callback handler could send a proper response the to the browser to have it perform the next phase of the authentication. After the browser handles it's phase, I then can handle the final phase in the login module
Perhaps I'm interpreting the role of the callback handler improperly or too strictly? -
7. Re: Negotiate with Kerberos
anil.saldhana Aug 24, 2006 4:28 PM (in response to cdelashmutt)Does it mean you want SASL kind of infrastructure wherein the server issues challenges that the client will try to satisfy?
|sasl client| -----Here I am -------------> |Sasl Server| |sasl client| <-----Challenge 1 ------------- |Sasl Server| |sasl client| -----Challenge 1 resp-------------> |Sasl Server| |sasl client| <-----Challenge 2------------- |Sasl Server| |sasl client| -----Challenge 2 resp-------------> |Sasl Server| |sasl client| <-----Welcome to Neverland------------- |Sasl Server|
-
8. Re: Negotiate with Kerberos
cdelashmutt Aug 24, 2006 5:00 PM (in response to cdelashmutt)Effectively, that is what SPNEGO does. So does NTLM. Neither protocol are as simple as just getting some credentials, and then validating them.
The server sends an authorization header. The client responds with a token. That token is validated, wrapped, and sent back to the client. The client returns a final token which can be used to get identifying user attributes.
That's why I felt that I needed to take the seemingly strange approach that I took. I'm always interested in hearing about ways to improve what I've done, so please don't stop using a critical eye on this stuff.
Thanks! -
9. Re: Negotiate with Kerberos
starksm64 Aug 25, 2006 2:16 AM (in response to cdelashmutt)The authentication layer does need to support a challenge response handshake of messages. As Anil will tell you I want to be able to use SRP in the web tier and it also requires a handshake. This is not really much different than basic auth sending a 401 challenge to force an authorization header.
-
10. Re: Negotiate with Kerberos
anil.saldhana Aug 25, 2006 10:39 AM (in response to cdelashmutt)JSR-196 has support for challenge-response handshake. There is a public draft feedback phase going on now.
-
11. Re: Negotiate with Kerberos
johnsoncfchong Sep 28, 2006 3:14 AM (in response to cdelashmutt)
I am a beginner in using JBOSS AS. I have a similar single sign-on requirement with the following configuration.
J2EE: Apache + mod_jk (Windows 2003) + JBOSS AS 4.0.4 (Windows 2003) without joining domain
Active Directory for authentication
After the users login to the domain, our web application can authenticate them silently. Is the following solution the right way to go?
http://wiki.jboss.org/wiki/Wiki.jsp?page=NegotiateKerberos
Johnson -
12. Re: Negotiate with Kerberos
cdelashmutt Sep 28, 2006 9:56 AM (in response to cdelashmutt)The silent authentication part is what that plug in is addressing. There are some changes that need to be made to the code as it currently is relying on some classes in the tomcat jars, and I also need to write up some instructions for including other login modules for getting groups.
If you didn't need silent authentication, then you could use the straight LDAP login modules to authenticate with Active Directory. -
13. Re: Negotiate with Kerberos
ramesh4u Oct 20, 2006 4:27 AM (in response to cdelashmutt)Please help me........
I have a windows network (samba domain controller which intern uses the flat file system for datastore), I wanted my j2ee web application to authenticate using NegotiateKerberos. so i followed http://wiki.jboss.org/wiki/Wiki.jsp?page=NegotiateKerberos link to setup your test application but it is not working. when i request for the index.html, i get [org.jboss.web.tomcat.security.HttpServletRequestResponseValve] Realm returned: null in the jboss server.log....
Following configurations i have done
Windows network domain name is LK
Samba domain controler ip 192.168.1.7
/conf/login-config.xml
<!-- SPNEGO test -->
<application-policy name = "SPNEGO">
<login-module code="org.jboss.security.auth.NegotiateLoginModule"
flag = "required">
<module-option name="loadBalance">false</module-option>
<module-option name="domainController">192.168.1.7</module-option>
<module-option name="defaultDomain">LK</module-option>
</login-module>
</application-policy>
/WEB-INF/web.xml
<login-config>
<auth-method>Negotiate</auth-method>
<realm-name>SPNEGO</realm-name>
</login-config>
<security-role>
<role-name>LK</role-name>
</security-role>
WEB-INF/jboss-web.xml
<jboss-web>
<security-domain>java:/jaas/SPNEGO</security-domain>
</jboss-web>
Thanks! -
14. Re: Negotiate with Kerberos
ramesh4u Nov 2, 2006 6:25 AM (in response to cdelashmutt)I have a windows network (samba domain controller which intern uses the flat file system for datastore), I wanted my j2ee web application to authenticate using NegotiateKerberos. so i followed http://wiki.jboss.org/wiki/Wiki.jsp?page=NegotiateKerberos link to setup the test application. But i suppose
NTLM Handshake is not happening, So i think there is some problem in my configuration settings. Basically handle method inside "AdvancedWebCallbackHandler.java" is not getting called.
When i start Jboss i see following logs which suggest CallbackHandler is configured properly but it is not getting called.
DEBUG [ServiceConfigurator] CallbackHandlerClassName set to org.jboss.web.tomcat.security.AdvancedWebCallbackHandler in jboss.security:service=JaasSecurityManager
Thanks
Ramesh S
Can someone please suggest what may be the problem? I am pasting all the configuration settings below.
My configuration setup as follows:
Windows network domain name is LK
Samba domain controller ip 192.168.1.7
/conf/jboss-service.xml
<!-- JAAS security manager and realm mapping -->
<mbean code="org.jboss.security.plugins.JaasSecurityManagerService" name="jboss.security:service=JaasSecurityManager"
<attribute name="CallbackHandlerClassName" org.jboss.web.tomcat.security.AdvancedWebCallbackHandler
<attribute name="SecurityManagerClassName" org.jboss.security.plugins.JaasSecurityManager
<attribute name="DefaultUnauthenticatedPrincipal" anonymous
<!-- DefaultCacheTimeout: Specifies the default timed cache policy timeout
in seconds.
If you want to disable caching of security credentials, set this to 0 to
force authentication to occur every time. This has no affect if the
AuthenticationCacheJndiName has been changed from the default value.
-->
<attribute name="DefaultCacheTimeout" 1800
<!-- DefaultCacheResolution: Specifies the default timed cache policy
resolution in seconds. This controls the interval at which the cache
current timestamp is updated and should be less than the DefaultCacheTimeout
in order for the timeout to be meaningful. This has no affect if the
AuthenticationCacheJndiName has been changed from the default value.
-->
<attribute name="DefaultCacheResolution" 60
/mbean>
/conf/login-config.xml
<!-- SPNEGO test -->
<application-policy name = "SPNEGO">
<login-module code="org.jboss.security.auth.NegotiateLoginModule" flag = "required">
<module-option name="loadBalance">false</module-option>
<module-option name="domainController">192.168.1.7</module-option>
<module-option name="defaultDomain">LK</module-option>
</login-module>
</application-policy>
/WEB-INF/web.xml
<login-config>
<auth-method>Negotiate</auth-method>
<realm-name>SPNEGO</realm-name>
</login-config>
<security-role>
<role-name>LK</role-name>
</security-role>
WEB-INF/jboss-web.xml
<jboss-web>
<security-domain>java:/jaas/SPNEGO</security-domain>
</jboss-web>
WEB-INF/context.xml
<Context
<Valve className="org.jboss.web.tomcat.security.HttpServletRequestResponseValve"
/Context>