JBoss Community

[DRAFT] Using JBoss Negotiation on AS7

modified by Darran Lofthouse in JBoss AS7 Development - View the full document

Once AS7-770 is resolved it will be possible to start using JBoss Negotiation with web applications deployed to JBoss AS7.

 

JBoss Negotiation is still JBoss Negotiation so the majority of the configuration is still the same as on previous JBoss AS releases, this article just highlights some of the differences.

 

Security Domains

As before two security domains are still required, one to represent the identity of the server and one to secure the web application - in JBoss AS7 these are defined in the domain model e.g.

 

  <security-domains>

    <security-domain name="host" cache-type="default">                  

      <authentication>                    

        <login-module code="Kerberos" flag="required">                      

          <module-option name="storeKey" value="true"/>                      

          <module-option name="useKeyTab" value="true"/>                      

          <module-option name="principal" value="host/testserver@MY_REALM"/>                      

          <module-option name="keyTab" value="/home/username/service.keytab"/>                      

          <module-option name="doNotPrompt" value="true"/>                      

          <module-option name="debug" value="false"/>                    

        </login-module>                  

       </authentication>                

     </security-domain>                

 

     <security-domain name="SPNEGO" cache-type="default">                  

       <authentication>                    

         <login-module code="SPNEGO"  flag="requisite">                      

           <module-option name="password-stacking" value="useFirstPass"/>                      

           <module-option name="serverSecurityDomain" value="host"/>                    

         </login-module>                    

 

         <!-- Login Module For Roles Search -->                

       </security-domain>

Here the security domain options are exactly the same as in previous JBoss AS releases, the only noteable difference is that the 'Code' attribute for each login-module can now use a simple name instead of the fully qualified class name used previously.

 

The following tables shows the name mapping used when working with JBoss Negotiation: -

 

Simple NameClass Name
Kerberoscom.sun.security.auth.module.Krb5LoginModule
SPNEGOorg.jboss.security.negotiation.spnego.SPNEGOLoginModule
AdvancedLdaporg.jboss.security.negotiation.AdvancedLdapLoginModule
AdvancedAdLdaporg.jboss.security.negotiation.AdvancedADLoginModule

 

System Properties

Instead of a seperate deployment the system properties (if required) can now also be set in the domain model.

 

e.g.

 

    <system-properties>        

      <property name="java.security.krb5.kdc" value="mykdc.mydomain"/>        

      <property name="java.security.krb5.realm" value="MY_REALM"/>    

    </system-properties>

 

Web Application

Within JBoss AS7 it is not possible to override the authenticators as before, however it is possible to just add the NegotiationAuthenticator as a valve to your jboss-web.xml descriptor to achieve the same effect.

 

e.g.

 

  <!DOCTYPE jboss-web PUBLIC   "-//JBoss//DTD Web Application 2.4//EN"   "http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd">   

  <jboss-web>  

    <security-domain>java:/jaas/SPNEGO</security-domain>   

    <valve>        

      <class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>    

    </valve>

  </jboss-web>

 

Note - the valve still requirs the security-constraint and login-config to be defined in the web.xml as this is still used to decide which resources are secured - however the chosen auth-method will be overriden by this authenticator.

 

Finally the web application requires a dependency defining in META-INF/MANIFEST.MF so that the JBoss Negotiation classes can be located.

 

Manifest-Version: 1.0

Build-Jdk: 1.6.0_24

Dependencies: org.jboss.security.negotiation

 

JBoss Negotiation Toolkit

Attached to this article is a version of the JBoss Negotiation Toolkit for use with JBoss AS7 to allow you as before to test the different aspects of SPNEGO before introducing your own application.

 

Note - As the toolkit is intended for debugging if you look at the dependencies in the MANIFEST.MF you will see some additional dependencies defined, these are needed for the debugging features of the toolkit and are not normally needed for your own web application.

Comment by going to Community

Create a new document in JBoss AS7 Development at Community