[jboss-dev-forums] [Design of Security on JBoss] - Re: Negotiate with Kerberos

ramesh4u do-not-reply at jboss.com
Thu Nov 2 06:25:45 EST 2006 

 I have a windows network (samba domain controller which intern uses the flat file system for datastore), I wanted my j2ee web application to authenticate using NegotiateKerberos. so i followed  http://wiki.jboss.org/wiki/Wiki.jsp?page=NegotiateKerberos link to setup the test application. But i suppose
NTLM Handshake is not happening, So i think there is some problem in my configuration settings. Basically handle method inside "AdvancedWebCallbackHandler.java" is not getting called.
When i start Jboss  i see following logs which suggest CallbackHandler is configured properly but it is not getting called.

 DEBUG [ServiceConfigurator] CallbackHandlerClassName set to org.jboss.web.tomcat.security.AdvancedWebCallbackHandler in jboss.security:service=JaasSecurityManager


Thanks
Ramesh S
Can someone please suggest what may be the problem? I am pasting all the configuration settings below.

My configuration setup as follows:

Windows network domain name is LK
Samba domain controller ip 192.168.1.7



/conf/jboss-service.xml

  <!-- JAAS security manager and realm mapping -->

   <mbean code="org.jboss.security.plugins.JaasSecurityManagerService" name="jboss.security:service=JaasSecurityManager" 
      <attribute name="CallbackHandlerClassName" org.jboss.web.tomcat.security.AdvancedWebCallbackHandler
<attribute name="SecurityManagerClassName"  org.jboss.security.plugins.JaasSecurityManager
<attribute name="DefaultUnauthenticatedPrincipal" anonymous
<!-- DefaultCacheTimeout: Specifies the default timed cache policy timeout
      in seconds.
      If you want to disable caching of security credentials, set this to 0 to
      force authentication to occur every time. This has no affect if the
      AuthenticationCacheJndiName has been changed from the default value.
      -->
      <attribute name="DefaultCacheTimeout" 1800
<!-- DefaultCacheResolution: Specifies the default timed cache policy
      resolution in seconds. This controls the interval at which the cache
      current timestamp is updated and should be less than the DefaultCacheTimeout
      in order for the timeout to be meaningful. This has no affect if the
      AuthenticationCacheJndiName has been changed from the default value.
      -->
      <attribute name="DefaultCacheResolution" 60
/mbean>


/conf/login-config.xml

<!-- SPNEGO test -->
        <application-policy name = "SPNEGO">
          
            <login-module code="org.jboss.security.auth.NegotiateLoginModule" flag = "required">
              <module-option name="loadBalance">false</module-option>
              <module-option name="domainController">192.168.1.7</module-option>
              <module-option name="defaultDomain">LK</module-option>
            </login-module>
           
        </application-policy>

/WEB-INF/web.xml

  <login-config>
        <auth-method>Negotiate</auth-method>
        <realm-name>SPNEGO</realm-name>
      </login-config>
      <security-role>
         <role-name>LK</role-name>
      </security-role>


WEB-INF/jboss-web.xml


<jboss-web>
  <security-domain>java:/jaas/SPNEGO</security-domain>
</jboss-web>

WEB-INF/context.xml

<Context
        <Valve className="org.jboss.web.tomcat.security.HttpServletRequestResponseValve" 
/Context>




View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3982624#3982624

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3982624

More information about the jboss-dev-forums mailing list