JBoss and SPNEGO authentication with GSS-API
This took about a million google searches to get done, so here is a blog post to explain the steps that need to be done to get a Java application deployed on JBoss to use GSS-API to authenticate the user making the request.
On a clean JBoss installation, open
and comment the whole
Now we need to add some global VM parameters to Java: open
and is the global Kerberos config file for your apps.
You should also increase the maximum HTTP header size permitted by the embedded Tomcat installation, since with Single-Sign-On HTTP headers may exceed the default of 4kb in complex Active Directory environments. Add a property
Well, almost done. Now you are free to get the SPNEGO token from inside your app and do with it whatever you want (for ex. delegate the credentials to call some other service).
Prerequisites
- A working KDC (Active Directory or something equivalent)
- JBoss (I used 5.0.1.GA)
- a keytab file
Configure JBoss
On a clean JBoss installation, open
server/default/conf/login-config.xml and add the following at the end (just before </policy>):
<application-policy name="com.sun.security.jgss.accept">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="debug">true</module-option>
<module-option name="principal">HTTP/principal@REALM</module-option>
<module-option name="storeKey">true</module-option>
<module-option name="useKeyTab">true</module-option>
<module-option name="doNotPrompt">true</module-option>
<module-option name="keyTab">/path/to/keytabfile.keytab</module-option>
</login-module>
</authentication>
</application-policy>
and comment the whole
<application-policy name="Others"> section right above.Now we need to add some global VM parameters to Java: open
/bin/run.conf and addJAVA_OPTS="$JAVA_OPTS -Djavax.security.auth.useSubjectCredsOnly=false" JAVA_OPTS="$JAVA_OPTS -Djava.security.krb5.conf=/path/to/krb.conf"
/path/to/krb.conf looks like this[libdefaults]
default_realm = YOURREALM
[realms]
YOURREALM = {
kdc = your.kdc
}
and is the global Kerberos config file for your apps.
You should also increase the maximum HTTP header size permitted by the embedded Tomcat installation, since with Single-Sign-On HTTP headers may exceed the default of 4kb in complex Active Directory environments. Add a property
maxHttpHeaderSize="32768" to your HTTP connector configuration in server/default/deploy/jboss-web.deployer. If your HTTP headers become larger than this setting, Tomcat just discards the requests without any log output, which can cause a lot of trouble.Well, almost done. Now you are free to get the SPNEGO token from inside your app and do with it whatever you want (for ex. delegate the credentials to call some other service).
Hi, Can you clarify the krb.conf contents:
i.e. is YOURREALM replaced with something like domain.mydomain.com and is your.kdc = ADserver.mysomain.com?