6 Replies Latest reply on Jul 7, 2011 2:35 AM by jboss beginner

    IdentityStore and Kerberos

    Daniel Kraft Newbie

      Hi there,


      i intend to use Kerberos in my Seam application. Is there an example or best practice regarding the realization of an IdentityStore using Kerberos authentification?


      Thx in advance!


      Daniel

        • 2. Re: IdentityStore and Kerberos
          Coen Damen Novice

          You can also integrate JCIFS with Kerberos into Seam.


          Using the Identity's Principal to verify against the Kerberos server.


          Get JCIFS-krb5 here or use Maven to download the jar.


          See the KerberosAuthExample.java for an example implementation.


          Cheers,
          Coenos

          • 3. Re: IdentityStore and Kerberos
            ingo bischofs Newbie

            Hi there,


            as using jcifs requires a password to be typed in:


            does anyone know a solution for a 'real' sso, which does not require to enter login credentials, but uses e. g. internetExplorer to negotiate?


            are using seam 2.01, as 5.01, have properly installed jboss security-negotiation (2.0.1 GA).
            samples of security-negotiation run perfect, but we didn't find a way to integrate with seam so far....


            thanks and cheers,
            ingo

            • 4. Re: IdentityStore and Kerberos
              Coen Damen Novice

              With JCIFS you do'n need to put in a password. You can configure Seam's authenticator to autoLogin a user.



              @Name("authenticator")
              public class Authenticator {
                      @Logger
                      Log log;
              
                      @In
                      Identity identity;
                      @In
                      Credentials credentials;
                      @In
                      Context sessionContext;
              
                      public boolean autoLogin2() {
                              return this.authenticate();
                      }
              
                    
                      public boolean autoLogin() {
                              // trying auto-login
                              Object autoLogin = sessionContext.get("NtlmHttpAuth");
                              boolean isAuthenticated = false;
                              if (autoLogin != null
                                              && (autoLogin instanceof NtlmPasswordAuthentication)) {
                                      try {
                                              // This will trigger a call of Authenticator.authenticate() (see
                                              // below)
                                              identity.authenticate();
                                              isAuthenticated=true;
                                      } catch (Exception e) {
                                              log.info(String.format("Autologin failed: %s", e.getMessage()));
                                      }
                              }
              
                              return isAuthenticated;
                      }
              
                      public void ssoRedirect() throws Exception {
              
                      }
              
                      public void ssoRedirect() throws Exception {
                              if (identity.isLoggedIn()) {
                                      log.debug(String.format("ssoRedirect: user %s is logged in",
                                                      identity.getPrincipal().getName()));
                                      FacesMessages.instance().clear(); // clear the regular Seam
                                      // messages
                                      Redirect.instance().returnToCapturedView(); // return to the
                                      // captured view
                              }
                      }
              
                      public boolean authenticate2() {
                              identity.addRole("admin");
                              identity.isLoggedIn(true);
                              return true;
                      }
              
                      public boolean authenticate() {
                              // TODO: Differentiate between form-based / prompted login and automatic
                              // login - is that even possible?
                              Object autoLogin = sessionContext.get("NtlmHttpAuth");
                              boolean isAuthenticated = false;
                              if (autoLogin != null
                                              && (autoLogin instanceof NtlmPasswordAuthentication)) {
                                      NtlmPasswordAuthentication ntlm = (NtlmPasswordAuthentication) autoLogin;
                                      String username = ntlm.getUsername();
                                      isAuthenticated = username != null && username.length() != 0;
                                      if (isAuthenticated) {
                                              log.info(String.format("Authenticated: %s", username));
                                              identity.getCredentials().setUsername(username);
                                              identity.getCredentials().setPassword("nonsense"); 
              
                                              //isAuthenticated = umbrellaSecurityManager.userIsKnown(username);
              
                                              if (isAuthenticated) {
                                                      identity.addRole("admin");
                                              }
                                      }
                              }
                              return isAuthenticated;
                      }
              }





              Set the JCIFS NtlmFilter.





              <filter>
                    <filter-name>NtlmHttpFilter</filter-name>
                    <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
                    <init-param>
                        <param-name>jcifs.http.domainController</param-name>
                        <param-value>127.0.0.7</param-value>
                    </init-param>
                    <init-param>
                        <param-name>jcifs.smb.client.domain</param-name>
                        <param-value>MYDOMAIN</param-value>
                    </init-param>
                    <init-param>
                        <param-name>jcifs.smb.lmCompatibility</param-name>
                        <param-value>3</param-value>
                    </init-param>
                    <init-param>
                        <param-name>jcifs.util.loglevel</param-name>
                        <param-value>2</param-value>
                    </init-param>      
                </filter>
                 <filter-mapping>
                    <filter-name>NtlmHttpFilter</filter-name>
                    <url-pattern>/*</url-pattern>
                      </filter-mapping>        
              






              Etc etc..


              If you need more info, let me know,
              Coen

              • 5. Re: IdentityStore and Kerberos
                yachaa Newbie

                Hi there,


                The example above uses NTLM authentication. Are there any example of Kerberos authentication using the JCIFS library that does not require user to enter the password?


                Cheers,


                Ivan

                • 6. Re: IdentityStore and Kerberos
                  jboss beginner Newbie

                  Need seam demo application with kerberos SSO