[jboss-cvs] JBossAS SVN: r74509 - projects/security/security-negotiation/trunk/docs/userguide/src/docbkx/en/modules.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Thu Jun 12 20:02:29 EDT 2008
Author: darran.lofthouse at jboss.com
Date: 2008-06-12 20:02:28 -0400 (Thu, 12 Jun 2008)
New Revision: 74509
Modified:
projects/security/security-negotiation/trunk/docs/userguide/src/docbkx/en/modules/general_installation.xml
Log:
[SECURITY-154] Documentation.
Modified: projects/security/security-negotiation/trunk/docs/userguide/src/docbkx/en/modules/general_installation.xml
===================================================================
--- projects/security/security-negotiation/trunk/docs/userguide/src/docbkx/en/modules/general_installation.xml 2008-06-12 23:08:29 UTC (rev 74508)
+++ projects/security/security-negotiation/trunk/docs/userguide/src/docbkx/en/modules/general_installation.xml 2008-06-13 00:02:28 UTC (rev 74509)
@@ -48,19 +48,17 @@
<para>Within this descriptor you should see a set of authenticators, to
add SPNEGO you should add the following entry: -</para>
- <para><code> <java:property> </code></para>
-
- <para><code> <java:key>SPNEGO</java:key> </code></para>
-
- <para><code> <java:value></code></para>
-
- <para><code>
- org.jboss.security.negotiation.spnego.SPNEGOAuthenticator</code></para>
-
- <para><code> </java:value> </code></para>
-
- <para><code> </java:property></code></para>
-
+ <programlisting>
+ <![CDATA[
+<java:property>
+ <java:key>SPNEGO</java:key>
+ <java:value>
+ org.jboss.security.negotiation.spnego.SPNEGOAuthenticator
+ </java:value>
+</java:property>
+ ]]>
+ </programlisting>
+
<para>The key can be any value you choose, however using SPNEGO is
recommended to be consistent with the rest of this document.</para>
</section>
@@ -147,6 +145,82 @@
and obtaining the keytab from the KDC but the general requirements to
configure the security domain in JBoss are the same.</para>
- <para></para>
+ <para>Below is an example host security domain: -</para>
+
+ <programlisting>
+ <![CDATA[
+<application-policy name="host">
+ <authentication>
+ <login-module code="com.sun.security.auth.module.Krb5LoginModule"
+ flag="required">
+ <module-option name="storeKey">true</module-option>
+ <module-option name="useKeyTab">true</module-option>
+ <module-option name="principal">host/testserver.gsslab.rdu.redhat.com at GSSLAB.RDU.REDHAT.COM</module-option>
+ <module-option name="keyTab">/home/darranl/src/security-negotiation/spnego-configuration/descriptors/testserver.keytab</module-option>
+ <module-option name="doNotPrompt">true</module-option>
+ <module-option name="debug">true</module-option>
+ </login-module>
+ </authentication>
+</application-policy>
+ ]]>
+ </programlisting>
+
+ <para>The selected name of the security domain is not important, later it will be
+ possible which security domain to use to authenticate the server.</para>
+
+ <para>The following options are required.</para>
+
+ <itemizedlist>
+ <listitem><para>storeKey - cache the key obtained locally</para></listitem>
+ <listitem><para>useKeyTab - Specify that the key will be loaded from a keyTab</para></listitem>
+ <listitem><para>principal - The full name of the principal to obtain from the keytab</para></listitem>
+ <listitem><para>keyTab - The full path to the keytab containing the servers key</para></listitem>
+ <listitem><para>doNotPrompt - As this is a server disable prompting for the servers password</para></listitem>
+ <listitem><para>debug - enable logging if additional debug information</para></listitem>
+ </itemizedlist>
+
</section>
+
+ <section>
+ <title>Application Security Domain</title>
+
+ <para>The application also requires it's own security domain to be defined with a login
+ module to work in connection with the SPNEGOAuthenticator and a second login module to load
+ the roles of the authenticated user.
+ </para>
+
+ <para>An example security domain is shown below.</para>
+
+ <programlisting>
+ <![CDATA[
+<application-policy name="SPNEGO">
+ <authentication>
+ <login-module
+ code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule"
+ flag="requisite">
+ <module-option name="password-stacking">useFirstPass</module-option>
+ <module-option name="serverSecurityDomain">host</module-option>
+ </login-module>
+ <login-module
+ code="org.jboss.security.auth.spi.UsersRolesLoginModule"
+ flag="required">
+ <module-option name="password-stacking">useFirstPass</module-option>
+ <module-option name="usersProperties">META-INF/spnego-users.properties</module-option>
+ <module-option name="rolesProperties">META-INF/spnego-roles.properties</module-option>
+ </login-module>
+ </authentication>
+</application-policy>
+ ]]>
+ </programlisting>
+
+ <para>The SPNEGOLoginModule requires the following two options.</para>
+
+ <itemizedlist>
+ <listitem><para>password-stacking - Setting this to useFirstPass allows a second module to load the roles.</para></listitem>
+ <listitem><para>serverSecurityDomain - The security domain of the application server as previously defined.</para></listitem>
+ </itemizedlist>
+ </section>
+
+
+
</chapter>
More information about the jboss-cvs-commits
mailing list