GateIn SPNEGO integration using JBoss Negotiation

    This wiki page is outdated and deprecated. See SPNEGO documentation in  GateIn reference guide for latest instructions.

     

     

    GateIn uses JBoss Negotiation to enable SPNEGO based desktop SSO for the Portal. Here are the steps to integrate SPNEGO with GateIn

     

    Step 1: Activate the Host authentication

     

    Under conf/login-config.xml, add the following host login module:

     

    <!-- SPNEGO domain -->
      <application-policy name="host">
       <authentication>
          <login-module code="com.sun.security.auth.module.Krb5LoginModule"
             flag="required">
             <module-option name="storeKey">true</module-option>
             <module-option name="useKeyTab">true</module-option>                                                     
             <module-option name="principal">HTTP/server.local.network@LOCAL.NETWORK</module-option>             
             <module-option name="keyTab">/home/soshah/krb5keytabs/jboss.keytab</module-option>
             <module-option name="doNotPrompt">true</module-option>
             <module-option name="debug">true</module-option>
          </login-module>
       </authentication>
     </application-policy>

     

    the 'keyTab' value should point to the keytab file that was generated by the kadmin kerberos tool. See the Setting up your Kerberos Development Environment guide for more details.

     

    Step 2: Extend the core authentication mechanisms to support SPNEGO

     

    Under deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml, add 'SPNEGO' authenticators property

     

    <property name="authenticators">
             <map keyClass="java.lang.String" valueClass="java.lang.String">
                <entry>
                   <key>BASIC</key>
                   <value>org.apache.catalina.authenticator.BasicAuthenticator</value>
                </entry>
                <entry>
                   <key>CLIENT-CERT</key>
                   <value>org.apache.catalina.authenticator.SSLAuthenticator</value>
                </entry>
                <entry>
                   <key>DIGEST</key>
                   <value>org.apache.catalina.authenticator.DigestAuthenticator</value>
                </entry>
                <entry>
                   <key>FORM</key>
                   <value>org.apache.catalina.authenticator.FormAuthenticator</value>
                </entry>
                <entry>
                   <key>NONE</key>
                   <value>org.apache.catalina.authenticator.NonLoginAuthenticator</value>
                </entry>
    
            <!-- Add this entry -->
            <entry>
              <key>SPNEGO</key>
              <value>org.jboss.security.negotiation.NegotiationAuthenticator</value>
            </entry>
             </map>         
          </property>
    
    

     

    Step 3: Add the JBoss Negotiation binary

     

    copy jboss-negotiation-2.0.3.GA.jar to lib

     

    Step 4: Add the Gatein SSO module binaries

     

    Add sso-agent.jar, and sso-spnego.jar to deploy/gatein.ear/lib

     

    Step 5: Activate SPNEGO LoginModule for GateIn

     

    Modify deploy/gatein.ear/META-INF/gatein-jboss-beans.xml, so that it looks like this:

     

    <deployment xmlns="urn:jboss:bean-deployer:2.0">
    
    
      <application-policy xmlns="urn:jboss:security-beans:1.0" name="gatein-domain">
        <!--
        <authentication>
          <login-module code="org.exoplatform.web.security.PortalLoginModule" flag="required">
            <module-option name="portalContainerName">portal</module-option>
            <module-option name="realmName">gatein-domain</module-option>
          </login-module>
          <login-module code="org.exoplatform.services.security.jaas.SharedStateLoginModule" flag="required">
            <module-option name="portalContainerName">portal</module-option>
            <module-option name="realmName">gatein-domain</module-option>
          </login-module>
          <login-module code="org.exoplatform.services.security.j2ee.JbossLoginModule" flag="required">
            <module-option name="portalContainerName">portal</module-option>
            <module-option name="realmName">gatein-domain</module-option>
          </login-module>
        </authentication>
        -->
    
    
        <!-- Uncomment this part (and comment the other part for CAS integration -->
        <!--
        <authentication>
          <login-module code="org.gatein.sso.agent.login.SSOLoginModule" flag="required">
          </login-module>      
          <login-module code="org.exoplatform.services.security.j2ee.JbossLoginModule" flag="required">
            <module-option name="portalContainerName">portal</module-option>
            <module-option name="realmName">gatein-domain</module-option>
          </login-module>
        </authentication>
        -->
    
        <!-- Uncomment this for Kerberos based SSO integration -->
        <authentication>
          <login-module
             code="org.gatein.sso.spnego.SPNEGOLoginModule"
             flag="requisite">
             <module-option name="password-stacking">useFirstPass</module-option>
             <module-option name="serverSecurityDomain">host</module-option>
          </login-module>      
          <login-module
             code="org.gatein.sso.agent.login.SPNEGORolesModule"
             flag="required">
          <module-option name="password-stacking">useFirstPass</module-option>
          <module-option name="portalContainerName">portal</module-option>
          <module-option name="realmName">gatein-domain</module-option>
          </login-module>      
       </authentication>
      </application-policy>
    
    </deployment>
    
    

     

     

    Step 6: Integrate SPNEGO support into the Portal web archive

     

    Switch GateIn authentication mechanism from the default "FORM" based to "SPNEGO" based authentication as follows:

     

    Modify gatein.ear/02portal.war/WEB-INF/web.xml

     

        <!--
        <login-config>
          <auth-method>FORM</auth-method> 
          <realm-name>gatein-domain</realm-name> 
            <form-login-config>
              <form-login-page>/initiatelogin</form-login-page> 
                <form-error-page>/errorlogin</form-error-page>
          </form-login-config>
        </login-config>
        -->
        <login-config>
          <auth-method>SPNEGO</auth-method>
          <realm-name>SPNEGO</realm-name>    
        </login-config>

     

     

    Integrate request pre-processing needed for SPNEGO via filters. Add the following filters to the web.xml at the top of the Filter chain:

     

       <filter>
          <filter-name>LoginRedirectFilter</filter-name>
          <filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class>
          <init-param>                                 
            <!-- This should point to your SSO authentication server -->                                                                                              
            <param-name>LOGIN_URL</param-name>                                                                                                
            <param-value>/portal/private/classic</param-value>                                                                                                         
          </init-param>
        </filter>
        <filter>
            <filter-name>SPNEGOFilter</filter-name>
            <filter-class>org.gatein.sso.agent.filter.SPNEGOFilter</filter-class>
        </filter>
        
        <filter-mapping>
          <filter-name>LoginRedirectFilter</filter-name>
          <url-pattern>/*</url-pattern>             
        </filter-mapping>
        <filter-mapping>                                           
            <filter-name>SPNEGOFilter</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>

     

    Step 7: Modify the Portal's 'Sign In' link to perform SPNEGO authentication

     

    Modify the 'Sign In' link on gatein.war/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtmpl as follows:

     

    <!--
    <a onclick="$signInAction"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
    -->
    <a href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
    

     

    Step 8: Start the GateIn Portal

     

    sudo ./run.sh -Djava.security.krb5.realm=LOCAL.NETWORK -Djava.security.krb5.kdc=server.local.network -c spnego -b server.local.network

     

    Step 9: Login to Kerberos

     

    kinit -A demo
    

     

    You should be able to click the 'Sign In' link on the GateIn Portal and the 'demo' user from the GateIn portal should be automatically logged in