5 Replies Latest reply on Apr 28, 2011 4:27 PM by soverbosch

Integrating JBoss Negotiation with a seam application

soverbosch Apr 7, 2011 3:59 PM

Hi All,

I've got the configuration of windows authentication working, used the toolkit to test it (this took some time because of network configuration issues). So now the next step is to get a seam based application working with the setup configured using the toolkit. The first problem I got was that I could not alter the auth-method in the web.xml, this can only contain BASIC, DIGEST, FORM or CLIENT-CERT, so the question is what value do I have to put in here (I tried BASIC which should be correct according to some source on the net). But this didn't even get the Authenticator filter to be activated, at least I didn't see no logging it was being accessed. The next question is why didn't the Authenticator get involved, is this because the security-constraint part in the web.xml contains <auth-constraint/> (The toolkit has some roles defined in the web.xml)

Another question to ask is if it is even possible to have the Authenticator in place when a seam application is developed, seam has it's own filtering in place so I decided to port the Authenticator to a seam web filter and this is working till the first step in the negotiation with the KDC (NegTokenInit message is send but never get to the NegTokenTarg messsage) and another thing which worries me is that this filter get called at least zeven times so the question arises will this ever work (probably it will because when the pricinpal is set I won't do any SPNEGO related stuff anymore)

The bottomline of this story is if there is a resource (either person or example/tutorial) which described how to use JBoss Negotiation in conjunction with the Seam security framework? Or is this impossible?

Hoping on quick reply from the cloud,

Sarris

1. Integrating JBoss Negotiation with a seam application

anil.saldhana Apr 14, 2011 5:02 PM (in response to soverbosch)

You need this to be completed: https://issues.jboss.org/browse/SEAMSECURITY-17

Seam needs to leverage the end results of the Web Container authentication mechanism.
Actions
2. Integrating JBoss Negotiation with a seam application

soverbosch Apr 15, 2011 2:07 AM (in response to anil.saldhana)

Hi Anil,

True, but that will take some time before this will be solved by the community. I'm now trying to write my of filter using the negotiation project as an example and are at the moment trying to fetch the information which is collected by the login module and put it in the Identity so seam framework can use it. It takes some time to get it all to work because I'm not that knowledgeable about the security and filter stuff in the seam framework. But thanks for your reply.

Br,

Sarris
Actions
3. Integrating JBoss Negotiation with a seam application

soverbosch Apr 15, 2011 11:39 AM (in response to soverbosch)

So after a some hours of hard work I got it working, at least basically . I am now able to automatically login a user which is logged on to the domain and as long as the user goes to the context of the webapp it is working as soon as the user goes to the webapp using a bookmark then it fails.
So http://jboss.server.com/appcontext will work but http://jboss.server.com/appcontext/pages/other/Main.seam will give the following stack trace and I am not sure what is causing this. Another issue it that when the user uses http://jboss.server.com/appcontext he/she will always end up at the login page and if you then use http://jboss.server.com/appcontext/pages/other/Main.seam you will end up on that requested page. So somewhere I am missing something/doing something wrong. Anybody who can help me on this issue????

2011-04-15 17:26:22,041 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/application].[Faces Servlet]] (http-0.0.0.0-8888-4) Servlet.service() for servlet Faces Servlet threw exception
java.lang.IllegalStateException
    at org.apache.catalina.connector.ResponseFacade.sendRedirect(ResponseFacade.java:435)
    at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:272)
    at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
    at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:388)
    at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)
    at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
    at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
    at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    at org.jboss.seam.web.HotDeployFilter.doFilter(HotDeployFilter.java:53)
    at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    at com.company.web.framework.SpnegoFilter.doSPNEGOAuthorization(SpnegoFilter.java:137)
    at com.company.web.framework.SpnegoFilter.doFilter(SpnegoFilter.java:51)
    at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    at java.lang.Thread.run(Thread.java:662)
Actions
4. Integrating JBoss Negotiation with a seam application

soverbosch Apr 28, 2011 6:00 AM (in response to soverbosch)

So to give a little status update on this, I've got it working at least on Windows XP it is working. Now the customer also uses Windows 7 with IE8 and this combination is failing to work. When debugging it seams like IE is not handling the WWW-Authenticate error response which is send to the browser and I am clueless at the moment as to what is causing this. So if anybody has a pointer in the right direction for me I would be extremely happy!
Actions
5. Integrating JBoss Negotiation with a seam application

soverbosch Apr 28, 2011 4:27 PM (in response to soverbosch)

So one step closer, after a day of investigation I found that the "Network Security: Configure encryption types allowed for Kerberos" which is reachable through "Local Security Policy", which is part of the Administrative tools of Windows 7, didn't have any value. So I selected the RC4_HMAC_MD5 encryption type and now the negotiation goes further then the initial WWW-Authenticate: Negotiate step but now fails in the third step with on the server side the message:

java.io.IOException: Unexpected message type
    at org.jboss.security.negotiation.spnego.encoding.NegTokenTargDecoder.decodeNegTokenTargSequence(NegTokenTargDecoder.java:111)
    at org.jboss.security.negotiation.spnego.encoding.NegTokenTargDecoder.decode(NegTokenTargDecoder.java:126)
    at org.jboss.security.negotiation.spnego.SPNEGOMessageFactory.createMessage(SPNEGOMessageFactory.java:73)
    at org.jboss.security.negotiation.DelegatingMessageFactory.createMessage(DelegatingMessageFactory.java:61)
    at com.raetsmarine.web.framework.SpnegoFilter.doSPNEGOAuthorization(SpnegoFilter.java:130)
    at com.raetsmarine.web.framework.SpnegoFilter.doFilter(SpnegoFilter.java:61)
    ....

So is there anybody out there who had the same problem and knows the solution?
Actions

Go to original post