0 Replies Latest reply on Jun 10, 2010 10:43 AM by John Ruiz

    Configuring a web-app to use the SPNEGO security domain in AS 5.1

    John Ruiz Newbie

      Hello,

       

      I'm having problems getting an application using spring security in JBoss 5.1 to delegate its authentication to the JBoss container.  I'm not asking you to solve that (although it'd be cool if you did), but rather to help me ensure that I have correctly configured the web application to use the SPNEGO/AdvLdap security domain I have going in JBoss.  I followed the jboss negotiation user guide to achieve this.

       

      My $JBOSS_HOME/server/default/conf/login-conf.xml contains the "host" domain (as shown in the user guide), as well as the SPNEGO domain.  I also have correctly configured the AdvLdap login module to be chained after the Negotiation login module.

       

      In the WEB-INF of my web app, I have a file named spnego-jboss-beans.xml and it contains a copy/paste of the SPEGNO domain.  I did add a deployment tag and update the namespace of <application-policy> after copying and pasting.  I followed Anil's example here.

       

      Finally, in WEB-INF, I created jboss-web.xml and configured the security domain to be SPENGO.

       

      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-web>
           <security-domain>java:/jaas/SPNEGO</security-domain>
      </jboss-web>

       

      If I am not mistaken, every time I go to my application now, JBoss should be doing SPNEGO authentication against my AD, right?  Have I missed anything?  If so, please let me know.

       

      Thanks!

      John.

       

      P.S. - Here's the message I posted to the spring security forums in case you happen to know how to solve my "real" problem.

      I've inherited a grails 1.1.1 application that uses spring 2.5.6 and spring security 2.0.4 within JBoss 5.1.  I am not allowed to upgrade to spring 3.0 or change the application server. 

       

      Our JBoss (on RHEL) is configured with a security domain that successfully accomplishes SSO via SPNEGO/Kerberos against Active Directory and also loads the user principal's roles from AD.

       

      The application currently uses spring security to configure CAS authentication.  My task is to change the spring security configuration to make the application use the JBoss container's SPNEGO/Kerberos against MS AD.  I don't know how to do this.

       

      I know spring security 2.0.x has container adapters, but the only JBoss adapter I could find was built against JBoss 3.  Knowing that the JBoss team went to their microkernel architecture from 4 -> 5, I haven't even attempted this route.

       

      My best lead right now is to configure spring security to use the PreAuthenticatedEntryPoint and - somewhere within its configuration - write my own custom role & granted authtorities mappers that grab the current principal and his AD roles and map that to a spring Authentication and its GrantedAuthorities.

       

      Will this work?  Has anyone done this before?  Or, does someone have a better idea for how I might delegate authentication to the JBoss container?  [B]Ideally, I'm asking which spring interfaces I should be overriding and what the spring configuration would look like.[/B]

       

      I have been trying to follow this example: [URL="http://blog.restafarian.org/2008/05/first-test-of-spring-security-via-websphere/"]http://blog.restafarian.org/2008/05/first-test-of-spring-security-via-websphere/[/URL] but the application fails to deploy because spring complains about beans not being defined - even though the bean is totally defined!  For example, it might complain about bean "authenticationDetailsSource" not being defined, but you can see in the example configuration file in that URL that there is absolutely a bean with id "authenticationDetailsSource" defined!

       

      Please, please, help.  Even if you don't have the full answer - if you know something about this problem, please post it!