[jboss-user] [Security & JAAS/JBoss] - Problems following NegotiateKerberos documentation.
kc7bfi
do-not-reply at jboss.com
Tue Aug 8 15:44:35 EDT 2006
I have been trying to follow the NegotiateKerberos (http://wiki.jboss.org/wiki/Wiki.jsp?page=NegotiateKerberos) documentation but I'm having some trouble. First, The document references a security-service.xml in the deploy directory. I do not have one so I created one as follows:
| <?xml version="1.0" encoding="UTF-8"?>
|
| <server>
|
| <!-- JAAS security manager and realm mapping -->
| <mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
| name="jboss.security:service=JaasSecurityManager">
| <!-- A flag which indicates whether the SecurityAssociation server mode
| is set on service creation. This is true by default since the
| SecurityAssociation should be thread local for multi-threaded server
| operation.
| -->
| <attribute name="ServerMode">true</attribute>
| <attribute name="SecurityManagerClassName">org.jboss.security.plugins.JaasSecurityManager</attribute>
| <attribute name="DefaultUnauthenticatedPrincipal">anonymous</attribute>
| <!-- DefaultCacheTimeout: Specifies the default timed cache policy timeout
| in seconds.
| If you want to disable caching of security credentials, set this to 0 to
| force authentication to occur every time. This has no affect if the
| AuthenticationCacheJndiName has been changed from the default value.
| -->
| <attribute name="DefaultCacheTimeout">1800</attribute>
| <!-- DefaultCacheResolution: Specifies the default timed cache policy
| resolution in seconds. This controls the interval at which the cache
| current timestamp is updated and should be less than the DefaultCacheTimeout
| in order for the timeout to be meaningful. This has no affect if the
| AuthenticationCacheJndiName has been changed from the default value.
| -->
| <attribute name="DefaultCacheResolution">60</attribute>
| <attribute name="CallbackHandlerClassName">org.jboss.web.tomcat.security.AdvancedWebCallbackHandler</attribute>
| </mbean>
|
| </server>
|
I also had to set the login auth-method in my web.xml to BASIC, Negotiate was not recognised.
| <login-config>
| <auth-method>BASIC</auth-method>
| <realm-name>Domain Login</realm-name>
| </login-config>
|
When I try to login from a client, the login failes but I get no errors in the logs. I can see Security logs on my server and PDC that reference a kerberos login, but thats as far as I get.
Has anyone successfully gotten kerberos login to work from the NegotiateKerberos documentation? Is there something I'm missing?
I'm using JBoss 4.0.4.GA and Windows 2003/XP
Thanks, David
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3963895#3963895
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3963895
More information about the jboss-user
mailing list