1 Reply Latest reply on Dec 30, 2010 2:47 AM by schorsch07

SSO/SPNEGO using 4.2.3GA possible?

schorsch07 Dec 27, 2010 5:15 AM

Hello,

we have an application with ejb3 on the server side and call them from a remote client (Swing). Now we want to login using SSO. What I found is an article http://community.jboss.org/wiki/EJB3AuthenticationWithSPNEGO. This article is based on JBoss 5.x with Negotiation 2.0.4. But we are using a JBoss server 4.2.3GA.

Now I am searching for a way to use SPNEGO with EJB3 and JBoss Server 4.2.3GA. Maybe someone can point me to the right direction to find a documentation for configuring this.

All servlets in the jboss-negotiation-toolkit.war work well. But invoking the EJB example runs into an error. When I was debugging I saw that the NegotiationContext is not initialized correctly.

There is another question left:

The principal name in the loginmodule "host" of this article is "jboss/..." - should this be host oder http or really jboss?

<module-option name="principal">jboss/mmoyses@EXAMPLE.COM</module-option>

Also there is no JBoss Negotiation 2.0.4 Download available - neither on the download page nor in the subversion repository.

1. Re: SSO/SPNEGO using 4.2.3GA possible?

schorsch07 Dec 30, 2010 2:47 AM (in response to schorsch07)

Now I tried the following:

I downloaded the Trunk version of Negotiation. It seems that it is the one that is used in the tutorial (http://community.jboss.org/wiki/EJB3AuthenticationWithSPNEGO).

Somewhere in the documentation it is mentioned that a MBean is required to use the custom SocketFactory. Using SSLSocketFactory is also done this way.

So I created an MBean with interface in the package:

package org.jboss.security.negotiation.spnego.net;

import java.io.IOException;
import java.net.InetAddress;
import java.net.ServerSocket;
import javax.naming.InitialContext;

public class SPNEGOServerSocketFactoryService implements
        SPNEGOServerSocketFactoryServiceMBean {
    private String securityDomain = "SPNEGO";
    private String hostDomain = "host"; 
    private SPNEGOServerSocketFactory serverSocketFactory = null;

    public void setSecurityDomain(String securityDomain) {
        this.securityDomain = securityDomain;
    }
    public String getSecurityDomain() {
        return securityDomain;
    }
    public void setHostDomain(String hostDomain) {
        this.hostDomain = hostDomain; 
    }
    public String getHostDomain() {
        return hostDomain;
    }
    public void start() throws Exception {
        if(securityDomain != null){
           serverSocketFactory = new SPNEGOServerSocketFactory(securityDomain, "host" );
        }
        else{
           throw new Exception("Can not create server socket factory due to the SecurityDomain not being set.");
        }
    }
    public void create() throws Exception {
        // NOOP
    }
    public void stop() {
        // NOOP
    }
    public void destroy() {
        // NOOP
    }
    public ServerSocket createServerSocket() throws IOException {
        return serverSocketFactory.createServerSocket();
    }
    public ServerSocket createServerSocket(int i) throws IOException {
        return serverSocketFactory.createServerSocket( i ); 
    }
    public ServerSocket createServerSocket(int i, int i1) throws IOException {
        return serverSocketFactory.createServerSocket( i, i1 ); 
    }
    public ServerSocket createServerSocket(int i, int i1,
            InetAddress inetAddress) throws IOException {
        return serverSocketFactory.createServerSocket( i, i1, inetAddress ); 
    }
}

Then I changed the configuration in ejb3.deployer\META-INF\jboss-service.xml:

<mbean  code="org.jboss.security.negotiation.spnego.net.SPNEGOServerSocketFactoryService"
        name="jboss.remoting:service=ServerSocketFactory,type=SPNEGOSecurityDomainAdvanced"
        display-name="SPNEGO SecurityDomain Server Socket Factory">
    <attribute name="SecurityDomain">SPNEGO</attribute>
</mbean>

<mbean  code="org.jboss.remoting.transport.Connector"
        name="jboss.remoting:type=Connector,name=DefaultEjb3Connector,transport=socket,handler=ejb3"
        display-name="SPNEGO Socket transport Connector">
    <depends>jboss.aop:service=AspectDeployer</depends> 
    <attribute name="InvokerLocator"><![CDATA[socket://${jboss.bind.address}:3873/?loaderport=4873&serverSocketFactory=jboss.remoting:service=ServerSocketFactory,type=SPNEGOSecurityDomainAdvanced]]></attribute> 
    <attribute name="Configuration">
        <handlers>
            <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
        </handlers>
    </attribute>       
</mbean>

Now when I invoke the test.jar form the tutorial I get an error:

08:31:38,817 ERROR [SocketServerInvoker] SocketServerInvoker[192.168.1.10:3873]
 failed to handle socket
 java.io.IOException: java.lang.NegativeArraySizeException        
 at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.accept(SPNEGOServerSocket.java:137)
         at org.jboss.remoting.transport.socket.SocketServerInvoker.run(SocketServerInvoker.java:520)
         at java.lang.Thread.run(Thread.java:619)
 Caused by: java.lang.NegativeArraySizeException
         at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.acceptSocket(SPNEGOServerSocket.java:181)
         at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.accept(SPNEGOServerSocket.java:132)
         ... 2 more

Maybe someone could tell if it is really necessary to use my own MBean to call the SocketFactory - where and how should I configure it correctly?

Thank you,

Georg