2 Replies Latest reply on Oct 3, 2017 3:06 PM by Łukasz Wieczorek

    WF 10.1.0.Final SPNEGO + SSO

    Łukasz Wieczorek Newbie

      Hi,

      I have a problem with connecting SPNEGO with SSO.

      Architecture of my app assumes that in one ear i've got 2 wars.

      First war application is responsible for spnego authorization and does it well:

      i'm correctly connecting to active directory server, and ldapLoginModules gives me all rolles that i need.

      Second war application should be open in "logged in" state ussing SSO but it doesn't.

       

      I've noticed that during spnego authentication, when JAASIdentityManagerImpl.verifyCredential is called,

      new AccountImpl is creating with Principal pointing to user authorized over SPNEGO and originalPrincipal pointing to unique number, eg. 977832df-f917-4644-adfd-d38b69e0d841 (propably identifying user before SPNEGO authorization).

      When SSO mechanism is called and second securitydomain login module is called, once againg JAASIdentityManagerImpl verifyCredential method is called and authenticationManager.isValid checks if originalPrincipal is authenticated.

       

      Here is the problem: SPNEGO authorizes users adding active directory login to Principal class, but authenticationManager in JAASIdentityManagerImpl uses originalPrincipal which is not authorized over SPNEGO.

      In wildfly 8, JAASIdentityManagerImpl was using principal to verify by authenticationManager (https://github.com/undertow-io/undertow-subsystem/blob/master/extension/src/main/java/org/jboss/as/undertow/security/JAASIdentityManagerImpl.java),

      and this should work for me. But since this BUG [WFLY-3626] JAASIdentityManagerImpl reauthenticates on verify(), CallerPrincipal mapping bug - JBoss Issue Tracker it was changed.

       

      I would be very grateful if you could help me.

        • 1. Re: WF 10.1.0.Final SPNEGO + SSO
          Martin Choma Expert

          By default SPNEGO authentication should be http sessoin scoped. Is sharing http session between wars in ear option for you?

          • 2. Re: WF 10.1.0.Final SPNEGO + SSO
            Łukasz Wieczorek Newbie

            Hi,

            Thanks for replay.

            I will try this one, but i have my doubts whether this solution is correct:

            1) i'm not sure if session sharing is possible for wars operating on different security domains?

            2) I do not need to share state of all session attributes. Admittedly SPNEGO should be session scoped, and Principal should be stored in session, but this is not my purpose.

            I need to pass to second war information about logged in user and his roles, that's all. So SSO solution seems to be appropriate.

            After succes spnego authorization, JAASIdentityManagerImpl.verifyCredential is called. As a parameter AccountImpl is passed.

            Spnego sets logged user as principal in AccountImpl attribute but  JAASIdentityManagerImpl is using Account.getOriginalPrincipal() to check if principal is valid by second war security domain.

            The problem is that originalPrincipal points to unique number which identifies user before any authorization. For that reason second login module has no chance to verify correctness of that a user.