Jboss Negotiation in Seam Application
t_collins Oct 3, 2012 10:09 PMHi All,
Wondering if I can get some help with this one. I'm trying to get Kerberos/SPNEGO authentication working in my Seam app.
Environment:
JBoss AS 5.0.0.GA
JBoss Negotiation 2.0.3 (SP02?) built from source as per https://community.jboss.org/message/142148#142148
JBoss Seam 2.1.0
Java 1.6.0_35
I've got the Negotiation toolkit running successfully with all 3 Servlets returning as they should.
When I try and implement in my Seam App all I get is a nice "HTTP Status 401 - The request requires HTTP Authentication ()."
I've followed the steps as outlined in http://seamframework.org/128602.lace
i.e.
1. configured the web.xml to handle the security
2. added <security:identity jaas-config-name="SPNEGO" /> to components.xml
3. disable the Identity httprequestwrapper <web:identity-filter disabled="true"/>
4. Created the custom Identity component.
I made a couple of minor alterations in web.xml -
1. Instead of bundling all the web-resource-collections together as in the example I've separated the SEAM resource into it's own constraint:
<security-constraint>
<web-resource-collection>
<web-resource-name>SEAM</web-resource-name>
<url-pattern>*.do</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
2. Added the SPENGO realm-name to the login config
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>SPNEGO</realm-name>
</login-config>
Now when I try to access the app I get the following in the log file:
DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement.createSecurityDomainContext():341] Creating SDC for domain=jboss-web-policy
DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.<init>():253] CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@142cc1e
DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.setCachePolicy():264] CachePolicy set to: org.jboss.util.TimedCachePolicy@f2b289
DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement.setSecurityDomainCache():473] setCachePolicy, c=org.jboss.util.TimedCachePolicy@f2b289
DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator.authenticate():78] Header - null
DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator.authenticate():82] No Authorization Header, sending 401
DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator.authenticate():78] Header - Negotiate YIIGVQYGKwYBBQUCoIIGSTCCBkWgMDAuBgkqhkiC9xIBAgIGCS.....
INFO [org.jboss.seam.contexts.Contexts.startup():303] starting up: org.jboss.seam.security.ruleBasedPermissionResolver
INFO [org.jboss.seam.drools.RuleBase.compileRuleBase():47] parsing rules: /security.drl
INFO [org.jboss.seam.contexts.Contexts.startup():303] starting up: org.jboss.seam.security.identity
INFO [org.jboss.seam.contexts.Contexts.startup():303] starting up: org.jboss.seam.web.session
DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator.authenticate():103] Creating new NegotiationContext
So it looks like it's at least trying work? However it wont forward on to the Identity component and I get the "request requires HTTP Authentication ()" message in the browser.
I know the keytab info is correct as I'm using it for the toolkit configuration and like I say all that works fine.
Any ideas?
Cheers,
Tristan