JBossNegotiation

    JBoss Negotiation

     

     

     

    The JBoss Negotiation project provides a Tomcat authenticator and JAAS login module to add SPNEGO support to JBoss.

     

    This project is a component of the JBoss Security and Identity Management Project.

     

    GA release: http://www.jboss.org/index.html?module=bb&op=viewtopic&t=149589

    (Includes code and user guide).

     

    Download

     

    PicketBox Downloads.

     

     

    Support

     

    For assistance using the authenticator please use the Security & JAAS/JBoss user forum.

     

    For development discussions please use the Design of Security on JBoss forum.

     

    Bugs and Features

     

    Bugs and feature requests can be raised within the SECURITY project in Jira, please set the component to 'Negotiation'.

     

    Source

     

    The source for the authenticator and the documentation is held within subversion at the following locations: -

     

     

    Additional Documentation

     

    If you have any additional information you feel should be included in the documentation please feel free to add it here so it can be included in a subsequent release.

     

    The following article contains the steps required on an all Windows domain: -

      http://www.jboss.org/community/wiki/ConfiguringJBossNegotiationinanallWindowsDomain

     

     

    Diagram

    SPNEGO.png

    Typical use case described in the diagram.

    • Users logs into his desktop (Such as a Windows machine). The desktop login is governed by Active Directory domain.
    • User then uses his browser (IE/Firefox) to access a web application (that uses JBoss Negotiation) hosted on JBoss AS or JBoss EAP.
    • The Browser transfers the desktop sign on information to the web application.
    • JBoss EAP/AS uses background GSS messages with the Active Directory (or any Kerberos Server) to validate the user.
    • The User has seamless SSO into the web application.

     

    Integration Material for other Projects/Products at JBoss:

    GateIn Integration with JBoss Negotiation

    Note:  If you want UNIX integration, then please look in the GateIn link above. (<= LINUX/UNIX)

     

    Old SPNEGO/Kerberos Documentation

     

    The old page discussing SPNEGO authentication can still be found at NegotiateKerberos.

     

    Troubleshooting

    * "[SPNEGOLoginModule] Unsupported negotiation mechanism 'NTLM'."

    Basically the browser is falling back to deprecated NTLM mechanism and not the recommended SPNEGO mechanism.

     

    References

     

    JBossAS7/WildFly/EAP6 Kerberos : Look for NegotiationAuthenticatorValve https://community.jboss.org/wiki/AS7EAP6CustomAuthenticatorValves-WritingAndConfiguring