[jboss-jira] [JBoss JIRA] (SECURITY-671) Negotiation/SPNEGO: Fallback to authenticate Form/Basic with ActiveDirectory

Jochen Riedlinger (JIRA) jira-events at lists.jboss.org
Tue Jul 24 02:19:07 EDT 2012 

     [ https://issues.jboss.org/browse/SECURITY-671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jochen Riedlinger updated SECURITY-671:
---------------------------------------

    Attachment: LBankSPNEGOLoginModule.java
                Krb5TicketInitiator.java
                krb5.conf
                part_of_standalone.xml


here is the implementation and configuration.

In LBankSPNEGOLoginModule.java I only changed the method "usernamePasswordLogin()" and added the method "getUsernameAndPassword()". And I have two new member variables.
If "usernamePasswordLogin()" (and the member variables) would be protected instead of private, the changes could be seen easier.

Then you need this start parameters
-Djava.security.krb5.conf=%JBOSS_HOME%/modules/de/lbank/conf/main/properties/krb5.conf
-Djavax.security.auth.useSubjectCredsOnly=false

In part_of_standalone.xml, you can see the three security domains used

                
> Negotiation/SPNEGO: Fallback to authenticate Form/Basic with ActiveDirectory
> ----------------------------------------------------------------------------
>
>                 Key: SECURITY-671
>                 URL: https://issues.jboss.org/browse/SECURITY-671
>             Project: PicketBox (JBoss Security and Identity Management)
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>         Environment: EAP 6.0.0 / JBossAS 7.1.2
>            Reporter: Jochen Riedlinger
>            Assignee: Darran Lofthouse
>         Attachments: krb5.conf, Krb5TicketInitiator.java, LBankSPNEGOLoginModule.java, part_of_standalone.xml
>
>
> Since Version 4 of JBossAS we had our own implementations of a SPNEGOAuthenticator and SPNEGOLoginModule. While trying to migrate to EAP 6 I wanted to switch to your imlementation, because it is officially supported.
> Unfortunately I find that your implementation is not yet finished because it lacks in a fallback solution that is able to validate username/password from BASIC/FORM authentication with ActiveDirectory.
> Since I had this feature in my old implementation I want to offer to contribute it here to the Negotiation component of the project (unfortunately there is no JIRA component for Negotiation).
> I think this would be valuable for anybody using SPNEGO.
> My implementation would even word for remote-ejb-calls (with plain username password sent OR when sending a kerberos ticket in the password field)
> If you are interested I'll upload my code and configuration instructions (RedHat employees can already see it in Support Case 00640390).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list