0 Replies Latest reply on Sep 12, 2012 3:49 AM by pi4630

    SSO with Kerberos in JBoss-6.0.0.Final

    pi4630

      Hi,

       

      I'm trying to enable kerberos SSO on my JBoss-6.0.0.-Final.

      To this purpose, I have created the following:

      1. a simple webapplication in jsf
      2. linux server has a keytab file and is part of ms active directory
      3. added an application policy (see below, named "SPNEGO") that uses Kerberos Module
      4. the jsf contains a jboss specific deplyoment descriptor that refers to the security domain defined at 3.
      5. in the jsf's web.xml, I've set the auth-method and the realm-name

      I stil can access the JSF from a PC without kerberos ticket.

       

      Where am I doing wrong?

       

      web.xml

       

      {code:xml}

      <?xml version="1.0" encoding="UTF-8"?>

      <web-app id="WebApp_ID" version="2.5"

          xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

          <display-name>Tic Tac Toe</display-name>

          <servlet>

              <servlet-name>Faces Servlet</servlet-name>

              <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>

              <load-on-startup>1</load-on-startup>

          </servlet>

          <servlet-mapping>

              <servlet-name>Faces Servlet</servlet-name>

              <url-pattern>*.jsf</url-pattern>

          </servlet-mapping>

          <!-- Added by @pb26683 -->

          <login-config>

              <auth-method>CLIENT_CERT</auth-method>

              <realm-name>SPNEGO</realm-name>

          </login-config>

      </web-app>{code}

       

      jboss-web.xml

       

      {code:xml}

      <?xml version="1.0" encoding="UTF-8"?>

      <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">

      <jboss-web>

          <security-domain>java:/jaas/SPNEGO</security-domain>

      </jboss-web>{code}

       

      login-conf.xml

       

      {code:xml}

      <application-policy name="spnego-server">

          <authentication>

            <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">

              <module-option name="storeKey">true</module-option>

              <module-option name="doNotPrompt">true</module-option>

              <module-option name="debug">true</module-option>

              <module-option name="useKeyTab">true</module-option>

              <module-option name="keyTab">/etc/develux.keytab</module-option>

              <module-option name="principal">HTTP/develux.prov.bz</module-option>

            </login-module>

          </authentication>

        </application-policy>

       

        <application-policy name="SPNEGO">

           <!--SPNEGO is short for Simple and Protected GSSAPI Negotiation Mechansim. See http://en.wikipedia.org/wiki/SPNEGO or details.-->

           <authentication>

              <login-module

                 code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule"

                 flag="requisite">

                 <module-option name="password-stacking">useFirstPass</module-option>

                 <module-option name="serverSecurityDomain">spnego-server</module-option>

              </login-module>

              <login-module

                 code="org.jboss.security.auth.spi.UsersRolesLoginModule"

                 flag="required">

                 <module-option name="password-stacking">useFirstPass</module-option>

                 <module-option name="usersProperties">props/spnego-users.properties</module-option>

                 <module-option name="rolesProperties">props/spnego-roles.properties</module-option>

              </login-module>

           </authentication>

        </application-policy>

      {code}

       

       

      I'm thankful for any hint!