10 Replies Latest reply on Oct 10, 2017 3:47 PM by Martin Choma

    SSO Wildfly LDAP server Kerberos 11.0.0.CR1

    Gustav S Newbie

      Awhile back I wrote about SSO for wildfly with no reponse. Now I am looking for information on how to setup up SSO(single sign on) for a wildfly server over ejb connectors. I want to be able to use kerberos implementation with ticket caches and avoid using the keytabs. Is this even possible to setup a client-server Communication like this in wildfly version 11.0.0.CR1? Which login modules are required and how should the client be setup for credentials-less communication. I've read about key cloak but i'm unsure if this is what I am after. Any help or examples would be greatly appreciated since latest documentation is seriously lacking.

       

      Thanks!

        • 1. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
          Darran Lofthouse Master

          We should probably write a blog post with a complete example but the end of the following section in the migration guide shows how GSSAPI authentication can be configured using WildFly Elytron, this is the piece that is required for the server side of configuration.

          • 2. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
            Gustav S Newbie

            Thanks Darran,

            Are you referring to this Kerberos Based Authentication Migration - Latest WildFly Documentation - Project Documentation Editor ?  It appears the example makes use of keytabs which I am trying to avoid. Is there anyway to make remote sso authentication for ejb beans without making use of keytabs? Something similar to the LDAP example but somehow keep the session in context according to the authenticated user to the LDAP server?

            • 3. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
              Darran Lofthouse Master

              In that example the keytab is the servers identity, are you also looking to avoid a keytab for the servers service principal?

              • 4. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
                Gustav S Newbie

                So that keytab does not contain the different users principal that will authenticate against the application? What kind of use does Elytron make of this keytab file and how is it generated?

                • 5. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
                  Gustav S Newbie

                  So I think I figured out how to generate the keytab for the server identity. Is it only necessary to generate one service principal for the keytab? If so, will it then be able to authenticate the different users in the AD domain? How does the GSS API come in play? Any help is greatly appreciated.

                  • 6. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
                    Martin Choma Expert

                    Yes, service principal e.g. HTTP/localhost will be used to verify different user kerberos tickets.

                    • 7. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
                      Martin Choma Expert

                      Gustav, what is client in your case? It is java process on client machine levereging ejb-client ? It is not browser, right?

                      • 8. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
                        Gustav S Newbie

                        Thanks Martin.

                        Yes it is a java process communicating with the server. That is why I asked about how the client is supposed to be setup for SSO authentication.

                        • 9. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
                          Gustav S Newbie

                          Anybody have an idea on how to setup the java client for SSO Communication for ejb connections? I've managed to set everything up on wildfly server with keytab and kerberos login module but I am lost in the realm of setting up the java client process. Thanks in advance.

                          • 10. Re: SSO Wildfly LDAP server Kerberos 11.0.0.CR1
                            Martin Choma Expert

                            This is how I call ejb with kerberos ticket (fixed username/password) from test.

                            // Use our custom configuration to avoid reliance on external config
                                    Configuration originalConfiguration = Utils.getLoginConfiguration();
                                    final Krb5LoginConfiguration krb5configuration = new Krb5LoginConfiguration(originalConfiguration);
                                    Configuration.setConfiguration(krb5configuration);
                                    // Authenticate to Kerberos.
                                    final LoginContext lc;
                                    try {
                                        if (loginContext == null) {
                                            lc = new LoginContext(krb5configuration.getUuid(), new UsernamePasswordHandler(kerberosUserPrincipal, PASSWORD));
                                            lc.login();
                                        } else {
                                            lc = loginContext;
                                        }
                                    } catch (Exception ex) {
                                        throw new RuntimeException("Kerberos authentication failed for user " + kerberosUserPrincipal + " with password "
                                                + PASSWORD, ex);
                                    }
                                    final InitialContext krbCtx = new InitialContext(getCtxProperties());
                                    try {
                            
                                        AuthenticationConfiguration configuration = AuthenticationConfiguration.EMPTY
                                                .useProvidersFromClassLoader(AbstractKerberosEjbTestCase.class.getClassLoader())
                                                .useGSSCredential(getGSSCredential(lc.getSubject()));
                            
                                        if ((fallbackUser!=null) && (passwordForFallbackUser != null)) {
                                            configuration =  configuration
                                                    .usePrincipal(new NamePrincipal(fallbackUser))
                                                    .usePassword(passwordForFallbackUser);
                                        }
                            
                                        AuthenticationContext context = AuthenticationContext.empty().with(MatchRule.ALL, configuration);
                            
                                        final String krbHello = context.run(new PrivilegedExceptionAction<String>() {
                                            @Override
                                            public String run() throws Exception {
                                                final SimpleBeanRemote krbBean = (SimpleBeanRemote) krbCtx.lookup(finalBeanLookupName);
                                                return krbBean.hello();
                                            }
                                        });
                            

                             

                            It means kerberos ticket is passed using AuhtneticationConfiguration. This used to work with Subject.doAs, but does not work in 7.1 ejb client 4.x anymore.

                             

                            If you want to use current user kerberos ticket try to use useTicketCache option of Krb5LoginModule [1] - but I have no experience with this solution.

                            Also if you work on prototype from scratch use Elytron instead of legacy security solution. Setting "kerbero login module" sounds as you are using old security domains.

                             

                            [1] Krb5LoginModule (Java Authentication and Authorization Service )