1 2 Previous Next 21 Replies Latest reply on Jan 8, 2018 7:47 AM by mchoma

    SSO Wildfly LDAP server Kerberos 11.0.0.CR1

    gurras

      Awhile back I wrote about SSO for wildfly with no reponse. Now I am looking for information on how to setup up SSO(single sign on) for a wildfly server over ejb connectors. I want to be able to use kerberos implementation with ticket caches and avoid using the keytabs. Is this even possible to setup a client-server Communication like this in wildfly version 11.0.0.CR1? Which login modules are required and how should the client be setup for credentials-less communication. I've read about key cloak but i'm unsure if this is what I am after. Any help or examples would be greatly appreciated since latest documentation is seriously lacking.

       

      Thanks!

        • 1. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
          dlofthouse

          We should probably write a blog post with a complete example but the end of the following section in the migration guide shows how GSSAPI authentication can be configured using WildFly Elytron, this is the piece that is required for the server side of configuration.

          • 2. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
            gurras

            Thanks Darran,

            Are you referring to this Kerberos Based Authentication Migration - Latest WildFly Documentation - Project Documentation Editor ?  It appears the example makes use of keytabs which I am trying to avoid. Is there anyway to make remote sso authentication for ejb beans without making use of keytabs? Something similar to the LDAP example but somehow keep the session in context according to the authenticated user to the LDAP server?

            • 3. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
              dlofthouse

              In that example the keytab is the servers identity, are you also looking to avoid a keytab for the servers service principal?

              • 4. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
                gurras

                So that keytab does not contain the different users principal that will authenticate against the application? What kind of use does Elytron make of this keytab file and how is it generated?

                • 5. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
                  gurras

                  So I think I figured out how to generate the keytab for the server identity. Is it only necessary to generate one service principal for the keytab? If so, will it then be able to authenticate the different users in the AD domain? How does the GSS API come in play? Any help is greatly appreciated.

                  • 6. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
                    mchoma

                    Yes, service principal e.g. HTTP/localhost will be used to verify different user kerberos tickets.

                    • 7. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
                      mchoma

                      Gustav, what is client in your case? It is java process on client machine levereging ejb-client ? It is not browser, right?

                      • 8. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
                        gurras

                        Thanks Martin.

                        Yes it is a java process communicating with the server. That is why I asked about how the client is supposed to be setup for SSO authentication.

                        • 9. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
                          gurras

                          Anybody have an idea on how to setup the java client for SSO Communication for ejb connections? I've managed to set everything up on wildfly server with keytab and kerberos login module but I am lost in the realm of setting up the java client process. Thanks in advance.

                          • 10. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
                            mchoma

                            This is how I call ejb with kerberos ticket (fixed username/password) from test.

                            // Use our custom configuration to avoid reliance on external config
                                    Configuration originalConfiguration = Utils.getLoginConfiguration();
                                    final Krb5LoginConfiguration krb5configuration = new Krb5LoginConfiguration(originalConfiguration);
                                    Configuration.setConfiguration(krb5configuration);
                                    // Authenticate to Kerberos.
                                    final LoginContext lc;
                                    try {
                                        if (loginContext == null) {
                                            lc = new LoginContext(krb5configuration.getUuid(), new UsernamePasswordHandler(kerberosUserPrincipal, PASSWORD));
                                            lc.login();
                                        } else {
                                            lc = loginContext;
                                        }
                                    } catch (Exception ex) {
                                        throw new RuntimeException("Kerberos authentication failed for user " + kerberosUserPrincipal + " with password "
                                                + PASSWORD, ex);
                                    }
                                    final InitialContext krbCtx = new InitialContext(getCtxProperties());
                                    try {
                            
                                        AuthenticationConfiguration configuration = AuthenticationConfiguration.EMPTY
                                                .useProvidersFromClassLoader(AbstractKerberosEjbTestCase.class.getClassLoader())
                                                .useGSSCredential(getGSSCredential(lc.getSubject()));
                            
                                        if ((fallbackUser!=null) && (passwordForFallbackUser != null)) {
                                            configuration =  configuration
                                                    .usePrincipal(new NamePrincipal(fallbackUser))
                                                    .usePassword(passwordForFallbackUser);
                                        }
                            
                                        AuthenticationContext context = AuthenticationContext.empty().with(MatchRule.ALL, configuration);
                            
                                        final String krbHello = context.run(new PrivilegedExceptionAction<String>() {
                                            @Override
                                            public String run() throws Exception {
                                                final SimpleBeanRemote krbBean = (SimpleBeanRemote) krbCtx.lookup(finalBeanLookupName);
                                                return krbBean.hello();
                                            }
                                        });
                            

                             

                            It means kerberos ticket is passed using AuhtneticationConfiguration. This used to work with Subject.doAs, but does not work in 7.1 ejb client 4.x anymore.

                             

                            If you want to use current user kerberos ticket try to use useTicketCache option of Krb5LoginModule [1] - but I have no experience with this solution.

                            Also if you work on prototype from scratch use Elytron instead of legacy security solution. Setting "kerbero login module" sounds as you are using old security domains.

                             

                            [1] Krb5LoginModule (Java Authentication and Authorization Service )

                            • 11. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
                              gurras

                              So after extensive research I've looked into building a java client with help of waffle. I manage to retreive the ticket altough I am stuck in how to apply it to the client and to the negotiation to the server. Anbody with any insights?

                              • 12. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
                                mchoma

                                Above example is not good for you? Calling ejb using AuthenticationContext? This is how it is recommended in wildfly 11

                                • 13. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
                                  gurras

                                  I dont understand which dependencies are required to run your code. Would you mind sharing exatly what I need?

                                  Otherwise your UsernamePasswordHandler requires  username, password arguments. If your test is fixed, how will it enable to have different users? Since I will be running on a Windows machine I dont want to set the windows registry to allow for retreival of cache from the TGT since there is elevated security mechanisms in windows from preventing the use of GSS API, which is why I mentioned waffle. I can't find any resource describing a single sign on java client process leveraging communication over ejb endpoints.

                                  -

                                  • 14. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
                                    mchoma

                                    you need jboss-ejb-client 4.x But this is something you should already have.

                                     

                                    You say you have kerberos ticket. Can you put it into .useGSSCredential() ?

                                    1 2 Previous Next