How to configure JBoss EAP 6.3 WebApp for Kerberos authentication

4
votes

I need to configure JBoss EAP 6.3 to understand Kerberos authentication.

My environment consists of:

  • linux server with JBoss EAP 6.3
  • client station with Windows 7 64bit + Chrome
  • Windows Server 2008 Active Directory (act as KDC)

I have already tried lots of examples, but none of them work. Basically I did everything according this document: RedHat JBoss 6.3 Kerberos

and this document: JBoss blog RadoslawRodak

and this document: JBoss developer blog

And everything I get from testing servlet (jboss-negotiation-toolkit) is this message: WARN [org.jboss.security.auth.spi.AbstractServerLoginModule] (http-/172.27.185.220:8080-1) Unsupported negotiation mechanism 'NTLM'

Does anyone went all through this and solved it somehow?

Thank you in advance, Josef

2
javajbosswindows-server-2008kerberosntlm
First I would disable NTLM somehow, because NTLM != KerberosTair
This may help: blogs.technet.com/b/askds/archive/2009/10/08/…Tair
And did you add your application url to security exception list?Tair
more details here access.redhat.com/documentation/en-US/…Tair

2 Answers

1
votes

Take a look at my SPNEGO demo project https://github.com/kwart/spnego-demo

Try to make it working with the linked kerberos-using-apacheds project.

If you can successfully authenticate against the ApacheDS Kerberos, try to change the configuration (krb5.conf and the Krb5LoginModule options in the host security domain) to use your Active Directory for authentication.

Common pitfall is a wrong SPN name. The service principal has to be in form HTTP/hostname@REALM (e.g. HTTP/[email protected])

You could find some other hints in my older presentation - http://www.slideshare.net/josef.cacek/dev-conf2013-ltkerberosas7

1
votes

Thank you all. As I said before, we finally made it. Our solution was:

0) Client computer must be in domain, provided domain credentials are not enough.

Create key table (for 2008 server was critical kvno 0):

ktpass -out bbb.keytab -princ HTTP/[email protected] -mapUser CEZ.LOC\bbb -mapOp set -pass password -ptype KRB5_NT_PRINCIPAL -kvno 0

ktab  -k bbb.keytab -l -e -t
Keytab name: bbb.keytab
KVNO Timestamp      Principal
0 1/1/70 1:00 AM HTTP/[email protected] (23:RC4 with HMAC)

Stop JBoss and transfer it to the linux under configuration folder of JBoss. /opt/jboss-domain/standalone/configuration/bbb.keytab

1) JBoss config (standalone.xml)

<system-properties>
  <property name="java.security.krb5.kdc" value="CEZ.LOC"/>
  <property name="java.security.krb5.realm" value="CEZ.LOC"/>
  <property name="java.net.debug" value="all"/>
  <property name="sun.security.krb5.debug" value="true"/>
</system-properties>

<security-domain name="host" cache-type="default">
  <authentication>
    <login-module code="Kerberos" flag="required">
       <module-option name="storeKey" value="true"/>
       <module-option name="useKeyTab" value="true"/>
       <module-option name="principal" value="HTTP/[email protected]"/>
       <module-option name="keyTab" value="/opt/jboss-domain/standalone/configuration/bbb.keytab"/>
       <module-option name="doNotPrompt" value="true"/>
       <module-option name="debug" value="true"/>
    </login-module>
 </authentication>
</security-domain>

<security-domain name="SPNEGO" cache-type="default">
<authentication>
  <login-module code="SPNEGO" flag="requisite">
     <module-option name="password-stacking" value="useFirstPass"/>
     <module-option name="serverSecurityDomain" value="host"/>
  </login-module>
</authentication>
</security-domain>

2) Web App config:

web.xml:
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Restricted</web-resource-name>
        <url-pattern>/rest/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<security-role>
    <role-name>*</role-name>
</security-role>

jboss-web.xml:
<jboss-web>  
    <security-domain>java:/jaas/SPNEGO</security-domain>  
        <valve>  
        <class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>  
        </valve>  
    <context-root>kerberoes</context-root>  
</jboss-web>

jboss-deployment-structure.xml:
<jboss-deployment-structure>  
  <deployment>  
    <dependencies>  
      <module name="org.jboss.security.negotiation" />  
    </dependencies>  
  </deployment>  
</jboss-deployment-structure>

3) Restart Key distribution service on AD

4) Start JBoss

5) Add JBoss web server address to trusted hosts into the Internet settings under Intranet section. All works from that moment.

Rest Web App can use this to get valid credentials:

import java.text.SimpleDateFormat;
import java.util.Calendar;
import java.util.Date;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.core.Application;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;

@Path("/ping")
public class Ping extends Application
{
    @Context  
    private SecurityContext mySecurityContext;  

    @GET
    public Response doGET() 
    {
        try
        {
            Date now = Calendar.getInstance().getTime();        
            String reportDate = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss").format(now);
            String returnString = "";

            // return ok json
            returnString = "Time: " + reportDate + "<br>\n";
            returnString += "User: " +
            mySecurityContext.getAuthenticationScheme() + " / " + 
            mySecurityContext.getUserPrincipal().getName() + "<br>\n";
           return Response.status(200).entity(returnString).build();
        }
        catch (Exception e)
        {
           return Response.status(500).entity("Exception! " +
           e.getMessage()).build();
        }
    }
}