JBoss Negotiation in AS7Get Kerberos authentication working

Josef CacekSenior QE Engineer, Red HatDevConf 2013

Agenda

Technologies introduction Quickstart Configuration Troubleshooting

Introduction: Kerberos

ticket based network authentication protocol

JBoss Negotiation

Negotiation (SPNEGO) support for JBoss AS ● protocols

● Kerberos● NTLM

● components● authenticator – a JBoss Web valve● JAAS Login modules● toolkit to check the configuration

Quickstart

https://github.com/kwart/spnego-demo

https://github.com/kwart/kerberos-using-apacheds

JBoss AS configuration

$JBOSS_HOME/standalone/configuration/standalone.xml

standalone.xml – security domains (1)

<security-domain name="host" cache-type="default"> <authentication>    <login-module code="Kerberos" flag="required">      <module-option name="debug" value="true"/>      <module-option name="storeKey" value="true"/>      <module-option name="refreshKrb5Config" value="true"/>      <module-option name="useKeyTab" value="true"/>      <module-option name="doNotPrompt" value="true"/>      <module option ‑ name="keyTab"        value="/path/to/http.keytab"/>      <module-option name="principal"        value="HTTP/localhost@JBOSS.ORG"/>    </login-module>  </authentication></security-domain>

standalone.xml – security domains (2)

<security-domain name="SPNEGO" cache-type="default">

<authentication>    <login-module code="SPNEGO" flag="required">      <module-option name="serverSecurityDomain"        value="host"/>    </login-module>  </authentication>

  <mapping>    <mapping-module code="SimpleRoles" type="role">      <module-option name="jduke@JBOSS.ORG" value="Admin"/>      <module-option name="hnelson@JBOSS.ORG" value="User"/> </mapping-module>  </mapping>

</security-domain>

standalone.xml – Kerberos related system properties

<system-properties> <property name="java.security.krb5.conf" value="/path/to/krb5.conf"/> <property name="java.security.krb5.debug" value="true"/> <property name="jboss.security.disable.secdomain.option" value="true"/></system-properties>

Web application configuration

WAR – Web archive

WEB-INF/web.xml

define your security constraints and roles

<security-constraint>  <web-resource-collection>    <web-resource-name>Admin Data</web-resource-name>    <url-pattern>/admin/*</url-pattern>  </web-resource-collection>  <auth-constraint>    <role-name>Admin</role-name>  </auth-constraint></security-constraint>

<security-role>  <role-name>Admin</role-name></security-role>

security domain custom authenticator

<jboss-web> <security-domain>SPNEGO</security-domain> <valve>        <class name‑ >org.jboss.security.negotiation.NegotiationAuthenticator</class-name> </valve></jboss-web>

WEB-INF/jboss-web.xml

META-INF/jboss-deployment-structure.xml

define module dependencies

<jboss-deployment-structure> <deployment> <dependencies> <module name="org.jboss.security.negotiation" /> </dependencies> </deployment></jboss-deployment-structure>

Client configuration

krb5.conf

configure the realm

[libdefaults]default_realm = MY-COMPANY.CZ

[realms]MY-COMPANY.CZ = {

kdc = kerberos.my-company.cz:688}

[domain_realm].my-company.cz = MY-COMPANY.CZ

Use KRB5_CONFIG environment variable if you don't want to change system wide /etc/krb5.conf

$ export KRB5_CONFIG=/path/to/krb5.conf

Browser configuration – allow negotiation for the domain

Firefox – use about:config in the address bar

network.negotiate-auth.delegation-uris=.my-company.cznetwork.negotiate-auth.trusted-uris =.my-company.cz

Chromium

$ chromium-browser \> --auth-server-whitelist=.my-company.cz \> --auth-negotiate-delegate-whitelist=.my-company.cz

And if it still doesn't work …

Pitfalls – principal names

The Service Principal Name (SPN) must follow the rule<service type> / <hostname> @ <realm>

For the request

http://my-server.my-company.cz/

use SPN:HTTP/my-server.my-company.cz@MYCOMP.CZ

Mixing IPs and hostnames usually doesn't work:

HTTP/localhost@MYCOMP.CZhttp://127.0.0.1/

Pitfalls - IPv6

HTTP:● http://[0:0:0:0:0:0:0:1]:8080/my-app/● HTTP/[0:0:0:0:0:0:0:1]@JBOSS.ORG

LDAP (can be used for role-mapping):● ldap://[0:0:0:0:0:0:0:1]:389● ldap/0:0:0:0:0:0:0:1@JBOSS.ORG

Pitfalls - IBM Java

host's login module<login-module code="com.ibm.security.auth.module.Krb5LoginModule" flag="required" >

● module options are not the same! krb5.conf – check [libdefaults] section● encryption support

● default_tgs_enctypes● default_tkt_enctypes● allow_weak_crypto

● forwardable ticktet when a client uses Krb5LoginModule● forwardable = true

Thank you.