-
1. Re: SPNEGO : Accessing JBoss Server by IP address
jdurant Mar 21, 2013 10:23 AM (in response to jdurant)The JBoss standalone.xml, if it could help :
<security-domain name="host" cache-type="default"> <authentication> <login-module code="Kerberos" flag="sufficient"> <module-option name="storeKey" value="true"/> <module-option name="useKeyTab" value="true"/> <module-option name="principal" value="HTTP/testserver@SSO.TEST"/> <module-option name="keyTab" value="/sso/testserver.http.keytab"/> <module-option name="doNotPrompt" value="true"/> <module-option name="debug" value="true"/> <module-option name="defaultRole" value="Users"/> </login-module> </authentication> </security-domain> <security-domain name="SPNEGO" cache-type="default"> <authentication> <login-module code="SPNEGO" flag="sufficient"> <module-option name="password-stacking" value="useFirstPass"/> <module-option name="serverSecurityDomain" value="host"/> <module-option name="defaultRole" value="Users"/> <module-option name="debug" value="true"/> </login-module> <login-module code="LdapExtended" flag="sufficient"> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/> <module-option name="java.naming.provider.url" value="ldap://X.X.X.X:389"/> <module-option name="bindDN" value="cn=testsso,ou=myou,dc=sso,dc=test"/> <module-option name="bindCredential" value="******"/> <module-option name="baseCtxDN" value="ou=myou,dc=sso,dc=test"/> <module-option name="baseFilter" value="(sAMAccountName={0})"/> <module-option name="rolesCtxDN" value="ou=myou,dc=sso,dc=test"/> <module-option name="roleFilter" value="(sAMAccountName={0})"/> <module-option name="roleAttributeID" value="memberOf"/> <module-option name="roleNameAttributeID" value="cn"/> <module-option name="roleAttributeIsDN" value="true"/> <module-option name="allowEmptyPasswords" value="false"/> <module-option name="Context.REFERRAL" value="follow"/> <module-option name="throwValidateError" value="true"/> <module-option name="searchScope" value="SUBTREE_SCOPE"/> <module-option name="allowEmptyPasswords" value="true"/> <module-option name="defaultRole" value="Users"/> </login-module> </authentication> </security-domain>
-
2. Re: SPNEGO : Accessing JBoss Server by IP address
jdurant Mar 21, 2013 12:33 PM (in response to jdurant)I have more information :
I think I have to accept that Kerberos authentication works only with domain names, not IP addresses.
For my second question, I performed a new test. When I access the application from a computer logged in another AD domain, I get too an HTTP 401 error. So I guess that if authentication can't be done, I got the login form, but when authentication fail (IP address, or bad Kerberos token) I get an 401 error. Is it a way to get the login form instead ?
-
3. Re: SPNEGO : Accessing JBoss Server by IP address
dlofthouse Mar 21, 2013 12:44 PM (in response to jdurant)No at the moment the reason you are getting a HTTP 401 response is because your web browser is attempting to use NTLM authentication which is not supported - I would suggest raising a feature request for us to consider a subsequent fallback if a NTLM response is received.
-
4. Re: SPNEGO : Accessing JBoss Server by IP address
jdurant Mar 21, 2013 1:01 PM (in response to dlofthouse)Ok I'll do it, but you mean I get this error because of a bad configuration of my browser. I tried it both with Firefox and IE, and I get the same issue trying to access by IP adress, or by name from another domain.
What shoul I do ?
-
5. Re: SPNEGO : Accessing JBoss Server by IP address
dlofthouse Mar 21, 2013 1:05 PM (in response to jdurant)There is nothing we can do about access by IP address, that is handled by the KDC.
The only part we may be able to work around is if a NTLM response is received we may be able to send the FORM to the client although there is still a risk the client will be pompted for their username and password twice.
-
6. Re: SPNEGO : Accessing JBoss Server by IP address
rodakr Mar 21, 2013 4:20 PM (in response to jdurant)If impossible (please not), why am I not redirected to the "emergency" LDAP login Module ?
Because your WEB application is configured probable configured for SPNEGO authentication... and not for something else.
If you would like to have LDAP you could use just BASIC in web.xml, but then you will not have SPNEGO
-
7. Re: SPNEGO : Accessing JBoss Server by IP address
jdurant Mar 22, 2013 11:36 AM (in response to dlofthouse)Could you help me implement the feature ? What should I do to send the login form once the unsupported negotiation mecanism is detected in the SPNEGOLoginModule ?
-
8. Re: SPNEGO : Accessing JBoss Server by IP address
rodakr Mar 23, 2013 6:04 PM (in response to jdurant)1 of 1 people found this helpfulYou could write custom valve, which does it. Or simple use FilterServlet which redirects to login form aso..
-
9. Re: SPNEGO : Accessing JBoss Server by IP address
jdurant Mar 25, 2013 5:08 AM (in response to rodakr)Ok,
If I redirect to the login form, how can I give the url to redirect to after successful login ?
I'll test with a FilterServlet, but I have to check if the HttpServletResponse object contains a 401 HTTP Error ? How ?
-
10. Re: SPNEGO : Accessing JBoss Server by IP address
rodakr Mar 25, 2013 7:11 AM (in response to jdurant)Take a look on example Web App from Darran :-)
https://community.jboss.org/wiki/DRAFTUsingJBossNegotiationOnAS7
-
11. Re: SPNEGO : Accessing JBoss Server by IP address
jdurant Mar 25, 2013 9:34 AM (in response to rodakr)Hum...I don't think there is a solution for my problem there...
Negotitation works well in common configurations, but there are two use cases still to improve :
-> Connexion with IP adress in the URL : I wrote a filter according to your advice which rewrite URL, replacing IP by hostname.
-> Connexion from a computer of another domain. : No solution for the moment.
These two cases result in an 'Unsupported mechanism NTLM' . I wrote a feature request, but I need to find a solution quickly. Waiting for this feature, I think I could use the fallback login module (LDAP) with a login form to another domain's users. The fallback perfectly works for non domain users. I don't understand why the browser attempt to use NTLM while the browser can use SPNEGO and it's only a wrong token (from another domain).
So, I was thinking your idea (Servlet Filter) would permit me to catch 401 error and to redirect browser to the login form, instead of displaying HTTP error. But the two questions I can't answer are :
- how to catch 401 error ? Using HTTPServletResponse ?
- If I redirect to login form, how to specify which URL will the user be redirect to after successful login ? That seems to be impossible to specify.
Any idea ?
-
12. Re: SPNEGO : Accessing JBoss Server by IP address
rodakr Mar 25, 2013 10:20 AM (in response to jdurant)Take a look on web.xml from jboss-negotiation-toolkit.war from https://community.jboss.org/wiki/DRAFTUsingJBossNegotiationOnAS7 ....
You Don't need FilterServlet having this in your web.xml
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>SPNEGO</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
-
13. Re: SPNEGO : Accessing JBoss Server by IP address
jdurant Mar 25, 2013 10:33 AM (in response to rodakr)I used this web.xml as example to configure my application, so I don't understand what you want to show me ?
I'm having same 2 described issues using my application or the negotiation toolkit.
EDIT :
Please read my messages : the fallback works well in main use cases, I'm having issues only for two particular cases.
-
14. Re: SPNEGO : Accessing JBoss Server by IP address
rodakr Mar 25, 2013 10:56 AM (in response to jdurant)I don't see what you want to achieve....
Connexion from a computer of another domain
This is Browser Issue, you have to tell clients from different Domains to trust your web servers Domain:
http://www.oracle.com/technetwork/articles/idm/weblogic-sso-kerberos-1619890.html -> Configuring Mozilla Firefox Browser
Connexion with IP adress in the URL
Communicate to users URL wit DNS Name! Using IP Adress is any way bad thing. When your Server moves you just update DNS for your machine. Anybody having old IP as Link will have problems.
If SPNEGO doesn't work, you have FORM Base authentication, where the user pass his credentials. Once FORM Base Authentication is successfull user is redirected to wecome page....