[jboss-user] [Beginner's Corner] - SSO with Kerberos in JBoss-6.0.0.Final
Pasqualino Imbemba
do-not-reply at jboss.com
Wed Sep 12 03:49:14 EDT 2012
Pasqualino Imbemba [https://community.jboss.org/people/pi4630] created the discussion
"SSO with Kerberos in JBoss-6.0.0.Final"
To view the discussion, visit: https://community.jboss.org/message/759142#759142
--------------------------------------------------------------
Hi,
I'm trying to enable kerberos SSO on my JBoss-6.0.0.-Final.
To this purpose, I have created the following:
1. a simple webapplication in jsf
2. linux server has a keytab file and is part of ms active directory
3. added an application policy (see below, named "SPNEGO") that uses Kerberos Module
4. the jsf contains a jboss specific deplyoment descriptor that refers to the security domain defined at 3.
5. in the jsf's web.xml, I've set the auth-method and the realm-name
I stil can access the JSF from a PC without kerberos ticket.
Where am I doing wrong?
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.5"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>Tic Tac Toe</display-name>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<!-- Added by @pb26683 -->
<login-config>
<auth-method>CLIENT_CERT</auth-method>
<realm-name>SPNEGO</realm-name>
</login-config>
</web-app>
jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss-web PUBLIC -//JBoss//DTD Web Application 5.0//EN http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd>
<jboss-web>
<security-domain>java:/jaas/SPNEGO</security-domain>
</jboss-web>
login-conf.xml
<application-policy name="spnego-server">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storeKey">true</module-option>
<module-option name="doNotPrompt">true</module-option>
<module-option name="debug">true</module-option>
<module-option name="useKeyTab">true</module-option>
<module-option name="keyTab">/etc/develux.keytab</module-option>
<module-option name="principal">HTTP/develux.prov.bz</module-option>
</login-module>
</authentication>
</application-policy>
<application-policy name="SPNEGO">
<!--SPNEGO is short for Simple and Protected GSSAPI Negotiation Mechansim. See http://en.wikipedia.org/wiki/SPNEGO or details.-->
<authentication>
<login-module
code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule"
flag="requisite">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="serverSecurityDomain">spnego-server</module-option>
</login-module>
<login-module
code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="usersProperties">props/spnego-users.properties</module-option>
<module-option name="rolesProperties">props/spnego-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>
I'm thankful for any hint!
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/759142#759142]
Start a new discussion in Beginner's Corner at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2075]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20120912/658411c3/attachment.html
More information about the jboss-user
mailing list