How to configure groups in Jboss EAP for Kerberos implementation?

2
votes

I have configured my application with Kerberos authentication for a specific user in jboss-eap and it's working fine. But wants to configure the same on the basis of the group i.e users in a specific group will able to authenticate.

Standalone.xml configuration for user:-

 <security-domains>
            <security-domain name="SPNEGO" cache-type="default">
                <authentication>
                    <login-module code="SPNEGO" flag="required">
                        <module-option name="serverSecurityDomain" value="host"/>
                    </login-module>
                </authentication>
                <mapping>
                    <mapping-module code="SimpleRoles" type="role">
                        <module-option name="[email protected]" value="User"/>
                    </mapping-module>
                </mapping>
            </security-domain>

My environment consists of:

linux server with JBoss EAP 6.2 client station with Windows 7 64bit + Chrome Windows Server 2008 Active Directory (act as KDC)

Application War Location:- https://github.com/kwart/spnego-demo

Does anyone went all through this and solved it somehow?

Thank you in advance, Siddharth

1
kerberosjboss-eap-6spring-security-kerberoskerberos-delegation

1 Answers

1
votes

You can pair the SPNEGO login-module with others so that you can assign users to roles. Below is an example of how to associate your users to LDAP roles via Standalone.xml:

  <security-domain name="SPNEGO">
                <authentication>
                    <login-module code="SPNEGOUsers" flag="requisite">
                        <module-option name="password-stacking" value="useFirstPass"/>
                        <module-option name="serverSecurityDomain" value="host"/>
                        <module-option name="removeRealmFromPrincipal" value="true"/>
                    </login-module>
                    <login-module code="AdvancedAdLdap" flag="required">
                        <module-option name="password-stacking" value="useFirstPass"/>
                        <module-option name="bindDN" value="test"/>
                        <module-option name="bindCredential" value="test"/>
                        <module-option name="allowEmptyPassword" value="true"/>
                        <module-option name="java.naming.provider.url" value="ldap://test.jboss.redhat.com:389"/>
                        <module-option name="baseCtxDN" value="CN=Users,DC=jboss,DC=redhat,DC=com"/>
                        <module-option name="baseFilter" value="(sAMAccountName={0})"/>
                        <module-option name="roleAttributeID" value="memberOf"/>
                        <module-option name="roleAttributeIsDN" value="true"/>
                        <module-option name="roleNameAttributeID" value="cn"/>
                        <module-option name="recurseRoles" value="true"/>
                    </login-module>
                </authentication>
            </security-domain>