Darran Lofthouse [
http://community.jboss.org/people/dlofthouse] modified the document:
"[DRAFT] Using JBoss Negotiation on AS7"
To view the document, visit:
http://community.jboss.org/docs/DOC-16876
--------------------------------------------------------------
Once
https://issues.jboss.org/browse/AS7-770 AS7-770 is resolved it will be possible to
start using JBoss Negotiation with web applications deployed to JBoss AS7.
JBoss Negotiation is still JBoss Negotiation so the majority of the configuration is still
the same as on previous JBoss AS releases, this article just highlights some of the
differences.
h2. Security Domains
As before two security domains are still required, one to represent the identity of the
server and one to secure the web application - in JBoss AS7 these are defined in the
domain model e.g.
<security-domains>
<security-domain name="host" cache-type="default">
<authentication>
<login-module code="Kerberos" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal"
value="host/testserver@MY_REALM"/>
<module-option name="keyTab"
value="/home/username/service.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="false"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="requisite">
<module-option name="password-stacking"
value="useFirstPass"/>
<module-option name="serverSecurityDomain"
value="host"/>
</login-module>
<!-- Login Module For Roles Search -->
</security-domain>
Here the security domain options are exactly the same as in previous JBoss AS
releases, the only noteable difference is that the 'Code' attribute for each
login-module can now use a simple name instead of the fully qualified class name used
previously.
The following tables shows the name mapping used when working with JBoss Negotiation: -
|| *Simple Name* || *Class Name* ||
| Kerberos | com.sun.security.auth.module.Krb5LoginModule |
| SPNEGO | org.jboss.security.negotiation.spnego.SPNEGOLoginModule |
| AdvancedLdap | org.jboss.security.negotiation.AdvancedLdapLoginModule |
| AdvancedAdLdap | org.jboss.security.negotiation.AdvancedADLoginModule |
h2. System Properties
Instead of a seperate deployment the system properties (if required) can now also be set
in the domain model.
e.g.
<system-properties>
<property name="java.security.krb5.kdc"
value="mykdc.mydomain"/>
<property name="java.security.krb5.realm"
value="MY_REALM"/>
</system-properties>
h2. Web Application
Within JBoss AS7 it is not possible to override the authenticators as before, however it
is possible to just add the NegotiationAuthenticator as a valve to your jboss-web.xml
descriptor to achieve the same effect.
e.g.
<!DOCTYPE jboss-web PUBLIC
"-//JBoss//DTD Web Application 2.4//EN"
"
http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd
http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd">
<jboss-web>
<security-domain>java:/jaas/SPNEGO</security-domain>
<valve>
<class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>
</valve>
</jboss-web>
Note - the valve still requirs the security-constraint and login-config to be defined in
the web.xml as this is still used to decide which resources are secured - however the
chosen auth-method will be overriden by this authenticator.
Finally the web application requires a dependency defining in META-INF/MANIFEST.MF so that
the JBoss Negotiation classes can be located.
Manifest-Version: 1.0
Build-Jdk: 1.6.0_24
Dependencies: org.jboss.security.negotiation
h2. JBoss Negotiation Toolkit
Attached to this article is a version of the JBoss Negotiation Toolkit for use with JBoss
AS7 to allow you as before to test the different aspects of SPNEGO before introducing your
own application.
Note - As the toolkit is intended for debugging if you look at the dependencies in the
MANIFEST.MF you will see some additional dependencies defined, these are needed for the
debugging features of the toolkit and are not normally needed for your own web
application.
--------------------------------------------------------------
Comment by going to Community
[
http://community.jboss.org/docs/DOC-16876]
Create a new document in JBoss AS7 Development at Community
[
http://community.jboss.org/choose-container!input.jspa?contentType=102&am...]