1 2 Previous Next 25 Replies Latest reply on Jun 3, 2008 3:03 AM by eric Lv

    Negotiate with Kerberos

    Chris DeLashmutt Newbie

      I'm working (very slowly :D ) on a plug in for JBoss AS to allow it to use Silent Authentication against a Kerberos domain. Mainly, I'm doing this to allow browsers supporting SPNEGO to silently authenticate with a web site. Prevents users from having to remember user ids and passwords for internal resources, since it can just pass through their existing Kerberos credentials.

      I just wanted to let anyone interested know that there was slight updated made to the wiki detailing some configuration differences between using this plug in with a JBoss AS server installed via the ZIP file, versus the JBoss AS server installed via the JBoss Installer jar.

      You can view the updated instructions (basically just step 3) at http://wiki.jboss.org/wiki/Wiki.jsp?page=NegotiateKerberos

        • 1. Re: Negotiate with Kerberos
          Stefan Theusner Newbie

          Hi,

          i try to use your LoginModule but got some trouble with the
          org.jboss.web.tomcat.security.AdvancedWebCallbackHandler
          within jboss-service.xml

          JBoss 4.0.4 start runs into an exception.
          As per description i put all you *jar's into my server lib directory.

          I already try to put these into a seperate security-service.xml in my deploy directory but without any success...

          Any suggestions?

          20:06:13,671 INFO [ServiceConfigurator] Problem configuring service jboss.security:service=JaasSecurityManager
          org.jboss.deployment.DeploymentException: Exception setting attribute javax.management.Attribute@6a435f on mbean jboss.security:service=JaasSecurityManager; - nested throwable: (java.lang.ClassNotFoundException: Unexpected error during load of: org.jboss.web.tomcat.security.AdvancedWebCallbackHandler, msg=org/jboss/web/tomcat/security/WebCallbackHandler)
          at org.jboss.system.ServiceConfigurator.setAttribute(ServiceConfigurator.java:698)
          at org.jboss.system.ServiceConfigurator.configure(ServiceConfigurator.java:332)
          at org.jboss.system.ServiceConfigurator.internalInstall(ServiceConfigurator.java:460)
          at org.jboss.system.ServiceConfigurator.install(ServiceConfigurator.java:171)
          at org.jboss.system.ServiceController.install(ServiceController.java:226)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:585)
          at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
          at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
          at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
          at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:260)
          at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
          at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:190)
          at $Proxy4.install(Unknown Source)
          at org.jboss.deployment.SARDeployer.create(SARDeployer.java:249)
          at org.jboss.deployment.MainDeployer.create(MainDeployer.java:953)
          at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:807)
          at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:771)
          at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:755)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:585)
          at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
          at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
          at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:133)
          at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
          at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:142)
          at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
          at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:260)
          at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
          at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:190)
          at $Proxy5.deploy(Unknown Source)
          at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:477)
          at org.jboss.system.server.ServerImpl.start(ServerImpl.java:357)
          at org.jboss.Main.boot(Main.java:200)
          at org.jboss.Main$1.run(Main.java:464)
          at java.lang.Thread.run(Thread.java:595)
          Caused by: java.lang.ClassNotFoundException: Unexpected error during load of: org.jboss.web.tomcat.security.AdvancedWebCallbackHandler, msg=org/jboss/web/tomcat/security/WebCallbackHandler
          at org.jboss.mx.loading.RepositoryClassLoader.loadClassImpl(RepositoryClassLoader.java:527)

          • 3. Re: Negotiate with Kerberos
            Chris DeLashmutt Newbie

            Thanks, Scott! That eliminates the need for replacing the specialized callback handler altogether. I'll try to get that worked in asap.

            • 4. Re: Negotiate with Kerberos
              Anil Saldanha Master

              Does anyone read the Security FAQ?
              http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ

              Q13 talk of getting the servlet request.

              • 5. Re: Negotiate with Kerberos
                Stefan Theusner Newbie

                 

                "scott.stark@jboss.org" wrote:
                The WebCallbackHandler is not the way to get the http request. See:
                http://wiki.jboss.org/wiki/Wiki.jsp?page=AccessingServletRequestForAuthentication


                Sorry, i am very new at jaas / jboss but way i should access the authentication within the servlet?

                All i need is the to know that the logged in system user is a valid user.

                What about the GSS-API?

                • 6. Re: Negotiate with Kerberos
                  Chris DeLashmutt Newbie

                  At second glance, I think I realized why I didn't use Q13 in http://wiki.jboss.org/wiki/Wiki.jsp?page=AccessingServletRequestForAuthentication.

                  The issue is that SPNEGO is a multi-pass authentication. It is my understanding that it is the job of the callback handler to retrieve user credentials. That is why I put the phase 1 part of authentication into the callback handler. In this phase, I needed access not only to the request, but also the response so that the callback handler could send a proper response the to the browser to have it perform the next phase of the authentication. After the browser handles it's phase, I then can handle the final phase in the login module

                  Perhaps I'm interpreting the role of the callback handler improperly or too strictly?

                  • 7. Re: Negotiate with Kerberos
                    Anil Saldanha Master

                    Does it mean you want SASL kind of infrastructure wherein the server issues challenges that the client will try to satisfy?


                    |sasl client| -----Here I am -------------> |Sasl Server|
                    
                    |sasl client| <-----Challenge 1 ------------- |Sasl Server|
                    
                    |sasl client| -----Challenge 1 resp-------------> |Sasl Server|
                    
                    
                    |sasl client| <-----Challenge 2------------- |Sasl Server|
                    
                    
                    |sasl client| -----Challenge 2 resp-------------> |Sasl Server|
                    
                    
                    |sasl client| <-----Welcome to Neverland------------- |Sasl Server|
                    
                    


                    • 8. Re: Negotiate with Kerberos
                      Chris DeLashmutt Newbie

                      Effectively, that is what SPNEGO does. So does NTLM. Neither protocol are as simple as just getting some credentials, and then validating them.

                      The server sends an authorization header. The client responds with a token. That token is validated, wrapped, and sent back to the client. The client returns a final token which can be used to get identifying user attributes.

                      That's why I felt that I needed to take the seemingly strange approach that I took. I'm always interested in hearing about ways to improve what I've done, so please don't stop using a critical eye on this stuff.

                      Thanks!

                      • 9. Re: Negotiate with Kerberos
                        Scott Stark Master

                        The authentication layer does need to support a challenge response handshake of messages. As Anil will tell you I want to be able to use SRP in the web tier and it also requires a handshake. This is not really much different than basic auth sending a 401 challenge to force an authorization header.

                        • 10. Re: Negotiate with Kerberos
                          Anil Saldanha Master

                          JSR-196 has support for challenge-response handshake. There is a public draft feedback phase going on now.

                          • 11. Re: Negotiate with Kerberos
                            Johnson Chong Newbie


                            I am a beginner in using JBOSS AS. I have a similar single sign-on requirement with the following configuration.

                            J2EE: Apache + mod_jk (Windows 2003) + JBOSS AS 4.0.4 (Windows 2003) without joining domain

                            Active Directory for authentication

                            After the users login to the domain, our web application can authenticate them silently. Is the following solution the right way to go?

                            http://wiki.jboss.org/wiki/Wiki.jsp?page=NegotiateKerberos


                            Johnson

                            • 12. Re: Negotiate with Kerberos
                              Chris DeLashmutt Newbie

                              The silent authentication part is what that plug in is addressing. There are some changes that need to be made to the code as it currently is relying on some classes in the tomcat jars, and I also need to write up some instructions for including other login modules for getting groups.

                              If you didn't need silent authentication, then you could use the straight LDAP login modules to authenticate with Active Directory.

                              • 13. Re: Negotiate with Kerberos
                                ramesh s Newbie

                                Please help me........


                                I have a windows network (samba domain controller which intern uses the flat file system for datastore), I wanted my j2ee web application to authenticate using NegotiateKerberos. so i followed http://wiki.jboss.org/wiki/Wiki.jsp?page=NegotiateKerberos link to setup your test application but it is not working. when i request for the index.html, i get [org.jboss.web.tomcat.security.HttpServletRequestResponseValve] Realm returned: null in the jboss server.log....



                                Following configurations i have done

                                Windows network domain name is LK
                                Samba domain controler ip 192.168.1.7


                                /conf/login-config.xml

                                <!-- SPNEGO test -->
                                <application-policy name = "SPNEGO">

                                <login-module code="org.jboss.security.auth.NegotiateLoginModule"
                                flag = "required">
                                <module-option name="loadBalance">false</module-option>
                                <module-option name="domainController">192.168.1.7</module-option>
                                <module-option name="defaultDomain">LK</module-option>
                                </login-module>

                                </application-policy>

                                /WEB-INF/web.xml

                                <login-config>
                                <auth-method>Negotiate</auth-method>
                                <realm-name>SPNEGO</realm-name>
                                </login-config>
                                <security-role>
                                <role-name>LK</role-name>
                                </security-role>


                                WEB-INF/jboss-web.xml


                                <jboss-web>
                                <security-domain>java:/jaas/SPNEGO</security-domain>
                                </jboss-web>


                                Thanks!


                                • 14. Re: Negotiate with Kerberos
                                  ramesh s Newbie

                                  I have a windows network (samba domain controller which intern uses the flat file system for datastore), I wanted my j2ee web application to authenticate using NegotiateKerberos. so i followed http://wiki.jboss.org/wiki/Wiki.jsp?page=NegotiateKerberos link to setup the test application. But i suppose
                                  NTLM Handshake is not happening, So i think there is some problem in my configuration settings. Basically handle method inside "AdvancedWebCallbackHandler.java" is not getting called.
                                  When i start Jboss i see following logs which suggest CallbackHandler is configured properly but it is not getting called.

                                  DEBUG [ServiceConfigurator] CallbackHandlerClassName set to org.jboss.web.tomcat.security.AdvancedWebCallbackHandler in jboss.security:service=JaasSecurityManager


                                  Thanks
                                  Ramesh S
                                  Can someone please suggest what may be the problem? I am pasting all the configuration settings below.

                                  My configuration setup as follows:

                                  Windows network domain name is LK
                                  Samba domain controller ip 192.168.1.7



                                  /conf/jboss-service.xml

                                  <!-- JAAS security manager and realm mapping -->

                                  <mbean code="org.jboss.security.plugins.JaasSecurityManagerService" name="jboss.security:service=JaasSecurityManager"
                                  <attribute name="CallbackHandlerClassName" org.jboss.web.tomcat.security.AdvancedWebCallbackHandler
                                  <attribute name="SecurityManagerClassName" org.jboss.security.plugins.JaasSecurityManager
                                  <attribute name="DefaultUnauthenticatedPrincipal" anonymous
                                  <!-- DefaultCacheTimeout: Specifies the default timed cache policy timeout
                                  in seconds.
                                  If you want to disable caching of security credentials, set this to 0 to
                                  force authentication to occur every time. This has no affect if the
                                  AuthenticationCacheJndiName has been changed from the default value.
                                  -->
                                  <attribute name="DefaultCacheTimeout" 1800
                                  <!-- DefaultCacheResolution: Specifies the default timed cache policy
                                  resolution in seconds. This controls the interval at which the cache
                                  current timestamp is updated and should be less than the DefaultCacheTimeout
                                  in order for the timeout to be meaningful. This has no affect if the
                                  AuthenticationCacheJndiName has been changed from the default value.
                                  -->
                                  <attribute name="DefaultCacheResolution" 60
                                  /mbean>


                                  /conf/login-config.xml

                                  <!-- SPNEGO test -->
                                  <application-policy name = "SPNEGO">

                                  <login-module code="org.jboss.security.auth.NegotiateLoginModule" flag = "required">
                                  <module-option name="loadBalance">false</module-option>
                                  <module-option name="domainController">192.168.1.7</module-option>
                                  <module-option name="defaultDomain">LK</module-option>
                                  </login-module>

                                  </application-policy>

                                  /WEB-INF/web.xml

                                  <login-config>
                                  <auth-method>Negotiate</auth-method>
                                  <realm-name>SPNEGO</realm-name>
                                  </login-config>
                                  <security-role>
                                  <role-name>LK</role-name>
                                  </security-role>


                                  WEB-INF/jboss-web.xml


                                  <jboss-web>
                                  <security-domain>java:/jaas/SPNEGO</security-domain>
                                  </jboss-web>

                                  WEB-INF/context.xml

                                  <Context
                                  <Valve className="org.jboss.web.tomcat.security.HttpServletRequestResponseValve"
                                  /Context>


                                  1 2 Previous Next