Configure the web app for Kerberos authentication using Tomcat

0
votes

I am using windows authentication with tomcat 7

I have done with domain controller setup and tomcat instance setup I am unable to configure my web app with tomcat I mean I don't know what I have to change in web.xml, context.xml and server.xml

Copy the tomcat.keytab file created on the domain controller to $CATALINA_BASE/conf/tomcat.keytab. Create the kerberos configuration file $CATALINA_BASE/conf/krb5.ini. The file used in this how-to contained: 

    [libdefaults]
    default_realm = DEV.LOCAL
    default_keytab_name = FILE:c:\apache-tomcat-7.0.x\conf\tomcat.keytab
    default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    forwardable=true

    [realms]
    DEV.LOCAL = {
            kdc = win-dc01.dev.local:88
    }

The location of this file can be changed by setting the java.security.krb5.conf system property. Create the JAAS login configuration file $CATALINA_BASE/conf/jaas.conf. The file used in this how-to contained:

    [domain_realm]
    dev.local= DEV.LOCAL
    .dev.local= DEV.LOCAL


    com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/win-tc01.dev.local@DEV.LOCAL"
    useKeyTab=true
    keyTab="c:/apache-tomcat-7.0.x/conf/tomcat.keytab"
    storeKey=true;
};

com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/win-tc01.dev.local@DEV.LOCAL"
    useKeyTab=true
    keyTab="c:/apache-tomcat-7.0.x/conf/tomcat.keytab"
    storeKey=true;
};
1
tomcat7windows-authenticationkerberos
Error messages in log? Question is impossible to answer without more information.Fred the Magic Wonder Dog
@Fred the magic wonder dog actually i dont know how to setup conf in server.xml BTW i didn't try can you post sample conf. settings in server.xml , web.xml which we requiref for windows auhtenticationRavindhar Konka

1 Answers

0
votes

In the web.xml of your web application, you have to set up the login method, security role and security constraint.

<login-config>
    <auth-method>SPNEGO</auth-method>
</login-config>

<security-role>
    <description>Users</description>
    <role-name>WebAppUsers</role-name>
</security-role>
<security-role>
    <description>Admins</description>
    <role-name>WebAppAdmins</role-name>
</security-role>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Common Area</web-resource-name>
        <url-pattern>/common/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>WebAppUser</role-name>
        <role-name>WebAppAdmin</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Changes to your server.xml

<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
    <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off"/>
<Listener className="org.apache.catalina.core.JasperListener"/>
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
<Service name="Catalina">
    <Connector port="8080" maxSavePostSize="2097152" URIEncoding="UTF-8" 
        maxHttpHeaderSize="65536"/>
    <Engine name="Catalina" defaultHost="localhost">
        <Realm className="org.apache.catalina.realm.JNDIRealm"
            connectionURL="ldap://dc.mydomain.com:3268" 
            userSubtree="true"
            userBase="cn=Users,dc=mydomain,dc=com" 
            userSearch="(sAMAccountName={0})"
            userRoleName="memberOf" 
            roleBase="cn=Users,dc=mydomain,dc=com" 
            roleName="cn"
            roleSearch="(member={0})" 
            roleSubtree="true" 
            roleNested="true"/>
        <Host name="localhost" appBase="webapps">
            <Context docBase="ROOT.war" path="">
                <Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator"
                    storeDelegatedCredential="true" />
            </Context>
           </Host>
        </Engine>
    </Service>
</Server>