Upload
peterfarben
View
12
Download
0
Embed Size (px)
DESCRIPTION
Get Kerberos authentication working
Citation preview
JBoss Negotiation in AS7Get Kerberos authentication working
Josef CacekSenior QE Engineer, Red HatDevConf 2013
JBoss Negotiation
Negotiation (SPNEGO) support for JBoss AS ● protocols
● Kerberos● NTLM
● components● authenticator – a JBoss Web valve● JAAS Login modules● toolkit to check the configuration
Quickstart
https://github.com/kwart/spnego-demo
https://github.com/kwart/kerberos-using-apacheds
standalone.xml – security domains (1)
<security-domain name="host" cache-type="default"> <authentication> <login-module code="Kerberos" flag="required"> <module-option name="debug" value="true"/> <module-option name="storeKey" value="true"/> <module-option name="refreshKrb5Config" value="true"/> <module-option name="useKeyTab" value="true"/> <module-option name="doNotPrompt" value="true"/> <module option ‑ name="keyTab" value="/path/to/http.keytab"/> <module-option name="principal" value="HTTP/[email protected]"/> </login-module> </authentication></security-domain>
standalone.xml – security domains (2)
<security-domain name="SPNEGO" cache-type="default">
<authentication> <login-module code="SPNEGO" flag="required"> <module-option name="serverSecurityDomain" value="host"/> </login-module> </authentication>
<mapping> <mapping-module code="SimpleRoles" type="role"> <module-option name="[email protected]" value="Admin"/> <module-option name="[email protected]" value="User"/> </mapping-module> </mapping>
</security-domain>
standalone.xml – Kerberos related system properties
<system-properties> <property name="java.security.krb5.conf" value="/path/to/krb5.conf"/> <property name="java.security.krb5.debug" value="true"/> <property name="jboss.security.disable.secdomain.option" value="true"/></system-properties>
WEB-INF/web.xml
define your security constraints and roles
<security-constraint> <web-resource-collection> <web-resource-name>Admin Data</web-resource-name> <url-pattern>/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>Admin</role-name> </auth-constraint></security-constraint>
<security-role> <role-name>Admin</role-name></security-role>
security domain custom authenticator
<jboss-web> <security-domain>SPNEGO</security-domain> <valve> <class name‑ >org.jboss.security.negotiation.NegotiationAuthenticator</class-name> </valve></jboss-web>
WEB-INF/jboss-web.xml
META-INF/jboss-deployment-structure.xml
define module dependencies
<jboss-deployment-structure> <deployment> <dependencies> <module name="org.jboss.security.negotiation" /> </dependencies> </deployment></jboss-deployment-structure>
krb5.conf
configure the realm
[libdefaults]default_realm = MY-COMPANY.CZ
[realms]MY-COMPANY.CZ = {
kdc = kerberos.my-company.cz:688}
[domain_realm].my-company.cz = MY-COMPANY.CZ
Use KRB5_CONFIG environment variable if you don't want to change system wide /etc/krb5.conf
$ export KRB5_CONFIG=/path/to/krb5.conf
Browser configuration – allow negotiation for the domain
Firefox – use about:config in the address bar
network.negotiate-auth.delegation-uris=.my-company.cznetwork.negotiate-auth.trusted-uris =.my-company.cz
Chromium
$ chromium-browser \> --auth-server-whitelist=.my-company.cz \> --auth-negotiate-delegate-whitelist=.my-company.cz
Pitfalls – principal names
The Service Principal Name (SPN) must follow the rule<service type> / <hostname> @ <realm>
For the request
http://my-server.my-company.cz/
use SPN:HTTP/[email protected]
Mixing IPs and hostnames usually doesn't work:
HTTP/[email protected]://127.0.0.1/
Pitfalls - IPv6
HTTP:● http://[0:0:0:0:0:0:0:1]:8080/my-app/● HTTP/[0:0:0:0:0:0:0:1]@JBOSS.ORG
LDAP (can be used for role-mapping):● ldap://[0:0:0:0:0:0:0:1]:389● ldap/0:0:0:0:0:0:0:[email protected]
Pitfalls - IBM Java
host's login module<login-module code="com.ibm.security.auth.module.Krb5LoginModule" flag="required" >
● module options are not the same! krb5.conf – check [libdefaults] section● encryption support
● default_tgs_enctypes● default_tkt_enctypes● allow_weak_crypto
● forwardable ticktet when a client uses Krb5LoginModule● forwardable = true