6 Replies Latest reply on Jul 7, 2011 2:35 AM by xplace

    IdentityStore and Kerberos

    dklogica

      Hi there,


      i intend to use Kerberos in my Seam application. Is there an example or best practice regarding the realization of an IdentityStore using Kerberos authentification?


      Thx in advance!


      Daniel

        • 1. Re: IdentityStore and Kerberos
          magix
          • 2. Re: IdentityStore and Kerberos
            coenos

            You can also integrate JCIFS with Kerberos into Seam.


            Using the Identity's Principal to verify against the Kerberos server.


            Get JCIFS-krb5 here or use Maven to download the jar.


            See the KerberosAuthExample.java for an example implementation.


            Cheers,
            Coenos

            • 3. Re: IdentityStore and Kerberos
              digit0815

              Hi there,


              as using jcifs requires a password to be typed in:


              does anyone know a solution for a 'real' sso, which does not require to enter login credentials, but uses e. g. internetExplorer to negotiate?


              are using seam 2.01, as 5.01, have properly installed jboss security-negotiation (2.0.1 GA).
              samples of security-negotiation run perfect, but we didn't find a way to integrate with seam so far....


              thanks and cheers,
              ingo

              • 4. Re: IdentityStore and Kerberos
                coenos

                With JCIFS you do'n need to put in a password. You can configure Seam's authenticator to autoLogin a user.



                @Name("authenticator")
                public class Authenticator {
                        @Logger
                        Log log;
                
                        @In
                        Identity identity;
                        @In
                        Credentials credentials;
                        @In
                        Context sessionContext;
                
                        public boolean autoLogin2() {
                                return this.authenticate();
                        }
                
                      
                        public boolean autoLogin() {
                                // trying auto-login
                                Object autoLogin = sessionContext.get("NtlmHttpAuth");
                                boolean isAuthenticated = false;
                                if (autoLogin != null
                                                && (autoLogin instanceof NtlmPasswordAuthentication)) {
                                        try {
                                                // This will trigger a call of Authenticator.authenticate() (see
                                                // below)
                                                identity.authenticate();
                                                isAuthenticated=true;
                                        } catch (Exception e) {
                                                log.info(String.format("Autologin failed: %s", e.getMessage()));
                                        }
                                }
                
                                return isAuthenticated;
                        }
                
                        public void ssoRedirect() throws Exception {
                
                        }
                
                        public void ssoRedirect() throws Exception {
                                if (identity.isLoggedIn()) {
                                        log.debug(String.format("ssoRedirect: user %s is logged in",
                                                        identity.getPrincipal().getName()));
                                        FacesMessages.instance().clear(); // clear the regular Seam
                                        // messages
                                        Redirect.instance().returnToCapturedView(); // return to the
                                        // captured view
                                }
                        }
                
                        public boolean authenticate2() {
                                identity.addRole("admin");
                                identity.isLoggedIn(true);
                                return true;
                        }
                
                        public boolean authenticate() {
                                // TODO: Differentiate between form-based / prompted login and automatic
                                // login - is that even possible?
                                Object autoLogin = sessionContext.get("NtlmHttpAuth");
                                boolean isAuthenticated = false;
                                if (autoLogin != null
                                                && (autoLogin instanceof NtlmPasswordAuthentication)) {
                                        NtlmPasswordAuthentication ntlm = (NtlmPasswordAuthentication) autoLogin;
                                        String username = ntlm.getUsername();
                                        isAuthenticated = username != null && username.length() != 0;
                                        if (isAuthenticated) {
                                                log.info(String.format("Authenticated: %s", username));
                                                identity.getCredentials().setUsername(username);
                                                identity.getCredentials().setPassword("nonsense"); 
                
                                                //isAuthenticated = umbrellaSecurityManager.userIsKnown(username);
                
                                                if (isAuthenticated) {
                                                        identity.addRole("admin");
                                                }
                                        }
                                }
                                return isAuthenticated;
                        }
                }





                Set the JCIFS NtlmFilter.





                <filter>
                      <filter-name>NtlmHttpFilter</filter-name>
                      <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
                      <init-param>
                          <param-name>jcifs.http.domainController</param-name>
                          <param-value>127.0.0.7</param-value>
                      </init-param>
                      <init-param>
                          <param-name>jcifs.smb.client.domain</param-name>
                          <param-value>MYDOMAIN</param-value>
                      </init-param>
                      <init-param>
                          <param-name>jcifs.smb.lmCompatibility</param-name>
                          <param-value>3</param-value>
                      </init-param>
                      <init-param>
                          <param-name>jcifs.util.loglevel</param-name>
                          <param-value>2</param-value>
                      </init-param>      
                  </filter>
                   <filter-mapping>
                      <filter-name>NtlmHttpFilter</filter-name>
                      <url-pattern>/*</url-pattern>
                        </filter-mapping>        
                






                Etc etc..


                If you need more info, let me know,
                Coen

                • 5. Re: IdentityStore and Kerberos

                  Hi there,


                  The example above uses NTLM authentication. Are there any example of Kerberos authentication using the JCIFS library that does not require user to enter the password?


                  Cheers,


                  Ivan

                  • 6. Re: IdentityStore and Kerberos
                    xplace

                    Need seam demo application with kerberos SSO