-
1. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
dlofthouse Oct 3, 2017 5:54 AM (in response to gurras)We should probably write a blog post with a complete example but the end of the following section in the migration guide shows how GSSAPI authentication can be configured using WildFly Elytron, this is the piece that is required for the server side of configuration.
-
2. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
gurras Oct 3, 2017 6:18 AM (in response to dlofthouse)Thanks Darran,
Are you referring to this Kerberos Based Authentication Migration - Latest WildFly Documentation - Project Documentation Editor ? It appears the example makes use of keytabs which I am trying to avoid. Is there anyway to make remote sso authentication for ejb beans without making use of keytabs? Something similar to the LDAP example but somehow keep the session in context according to the authenticated user to the LDAP server?
-
3. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
dlofthouse Oct 3, 2017 6:20 AM (in response to gurras)In that example the keytab is the servers identity, are you also looking to avoid a keytab for the servers service principal?
-
4. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
gurras Oct 3, 2017 6:44 AM (in response to gurras)So that keytab does not contain the different users principal that will authenticate against the application? What kind of use does Elytron make of this keytab file and how is it generated?
-
5. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
gurras Oct 4, 2017 10:32 AM (in response to gurras)So I think I figured out how to generate the keytab for the server identity. Is it only necessary to generate one service principal for the keytab? If so, will it then be able to authenticate the different users in the AD domain? How does the GSS API come in play? Any help is greatly appreciated.
-
6. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
mchoma Oct 4, 2017 11:00 AM (in response to gurras)Yes, service principal e.g. HTTP/localhost will be used to verify different user kerberos tickets.
-
7. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
mchoma Oct 5, 2017 5:21 AM (in response to mchoma)Gustav, what is client in your case? It is java process on client machine levereging ejb-client ? It is not browser, right?
-
8. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
gurras Oct 6, 2017 2:35 AM (in response to gurras)Thanks Martin.
Yes it is a java process communicating with the server. That is why I asked about how the client is supposed to be setup for SSO authentication.
-
9. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
gurras Oct 10, 2017 10:30 AM (in response to gurras)Anybody have an idea on how to setup the java client for SSO Communication for ejb connections? I've managed to set everything up on wildfly server with keytab and kerberos login module but I am lost in the realm of setting up the java client process. Thanks in advance.
-
10. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
mchoma Oct 10, 2017 3:47 PM (in response to gurras)This is how I call ejb with kerberos ticket (fixed username/password) from test.
// Use our custom configuration to avoid reliance on external config Configuration originalConfiguration = Utils.getLoginConfiguration(); final Krb5LoginConfiguration krb5configuration = new Krb5LoginConfiguration(originalConfiguration); Configuration.setConfiguration(krb5configuration); // Authenticate to Kerberos. final LoginContext lc; try { if (loginContext == null) { lc = new LoginContext(krb5configuration.getUuid(), new UsernamePasswordHandler(kerberosUserPrincipal, PASSWORD)); lc.login(); } else { lc = loginContext; } } catch (Exception ex) { throw new RuntimeException("Kerberos authentication failed for user " + kerberosUserPrincipal + " with password " + PASSWORD, ex); } final InitialContext krbCtx = new InitialContext(getCtxProperties()); try { AuthenticationConfiguration configuration = AuthenticationConfiguration.EMPTY .useProvidersFromClassLoader(AbstractKerberosEjbTestCase.class.getClassLoader()) .useGSSCredential(getGSSCredential(lc.getSubject())); if ((fallbackUser!=null) && (passwordForFallbackUser != null)) { configuration = configuration .usePrincipal(new NamePrincipal(fallbackUser)) .usePassword(passwordForFallbackUser); } AuthenticationContext context = AuthenticationContext.empty().with(MatchRule.ALL, configuration); final String krbHello = context.run(new PrivilegedExceptionAction<String>() { @Override public String run() throws Exception { final SimpleBeanRemote krbBean = (SimpleBeanRemote) krbCtx.lookup(finalBeanLookupName); return krbBean.hello(); } });
It means kerberos ticket is passed using AuhtneticationConfiguration. This used to work with Subject.doAs, but does not work in 7.1 ejb client 4.x anymore.
If you want to use current user kerberos ticket try to use useTicketCache option of Krb5LoginModule [1] - but I have no experience with this solution.
Also if you work on prototype from scratch use Elytron instead of legacy security solution. Setting "kerbero login module" sounds as you are using old security domains.
[1] Krb5LoginModule (Java Authentication and Authorization Service )
-
11. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
gurras Oct 26, 2017 2:57 AM (in response to gurras)So after extensive research I've looked into building a java client with help of waffle. I manage to retreive the ticket altough I am stuck in how to apply it to the client and to the negotiation to the server. Anbody with any insights?
-
12. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
mchoma Oct 26, 2017 5:17 AM (in response to gurras)Above example is not good for you? Calling ejb using AuthenticationContext? This is how it is recommended in wildfly 11
-
13. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
gurras Oct 26, 2017 7:07 AM (in response to mchoma)I dont understand which dependencies are required to run your code. Would you mind sharing exatly what I need?
Otherwise your UsernamePasswordHandler requires username, password arguments. If your test is fixed, how will it enable to have different users? Since I will be running on a Windows machine I dont want to set the windows registry to allow for retreival of cache from the TGT since there is elevated security mechanisms in windows from preventing the use of GSS API, which is why I mentioned waffle. I can't find any resource describing a single sign on java client process leveraging communication over ejb endpoints.
-
-
14. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
mchoma Oct 26, 2017 8:59 AM (in response to gurras)you need jboss-ejb-client 4.x But this is something you should already have.
You say you have kerberos ticket. Can you put it into .useGSSCredential() ?