Another possible scenario for integrating GateIn using SSO in several infrastructures is related to the use of the SPNEGO mechanism. We will see how to configure GateIn for this type of integration.
SPNEGO stands for Simple and Protected GSSAPI Negotiation Mechanism and it provides an automatic way to check if the operating system or the application server supports NT LAN Manager (NTLM) or Kerberos to authenticate user sessions.
https://repository.jboss.org/nexus/content/groups/public/org/gatein/sso/sso-packaging
jboss-negotiation
JAR (at the time of writing the book, it is 2.1.0.GA) from the following URL: https://repository.jboss.org/nexus/content/groups/public/org/jboss/security/jboss-negotiation/Let's start to configure GateIn with SPNEGO as follows:
login-config.xml
file in this path: JBOSS_HOME/server/default/conf
<!-- SPNEGO domain --> <application-policy name="host"> <authentication> <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required"> <module-option name="storeKey">true</module-option> <module-option name="useKeyTab">true</module-option> <module-option name="principal">HTTP/[email protected]</ module-option> <module-option name="keyTab">/etc/krb5.keytab</module-option> <module-option name="doNotPrompt">true</module-option> <module-option name="debug">true</module-option> </login-module> </authentication> </application-policy>
keyTab
parameter must be generated by the kadmin
tool. If you are using Linux, this parameter must have the same value that you set in the kdc.conf
.JBOSS_HOME/server/default/deployers/jbossweb.deployer/META-INF/wardeployers-jboss-beans.xml
and change it to the following:<deployment xmlns="urn:jboss:bean-deployer:2.0"> <property name="authenticators"> <map class="java.util.Properties" keyClass="java.lang.String" valueClass="java.lang.String"> <entry> <key>BASIC</key> <value>org.apache.catalina.authenticator.BasicAuthenticator</value> </entry> <entry> <key>CLIENT-CERT</key> <value>org.apache.catalina.authenticator.SSLAuthenticator</value> </entry> <entry> <key>DIGEST</key> <value>org.apache.catalina.authenticator.DigestAuthenticator</value> </entry> <entry> <key>FORM</key> <value>org.apache.catalina.authenticator.FormAuthenticator</value> </entry> <entry> <key>NONE</key> <value>org.apache.catalina.authenticator.NonLoginAuthenticator</value> </entry> <!-- Add this entry --> <entry> <key>SPNEGO</key> <value>org.gatein.sso.spnego.GateInNegotiationAuthenticator</value> </entry> </map> </property>
sso-agent-VERSION.jar
: from GATEIN_SSO_HOME/spnego/gatein.ear/lib
to JBOSS_HOME/server/default/deploy/gatein.ear/lib
.spnego-VERSION.jar
:from GATEIN_SSO_HOME/spnego/gatein.ear/lib
to JBOSS_HOME/server/default/lib
.jboss-negotiation-VERSION.jar
file in JBOSS_HOME/server/default/lib
.gatein-jboss-beans.xml
that is included in the path JBOSS_HOME/server/defaut/deploy/gatein.ear/META-INF
as follows:<deployment xmlns="urn:jboss:bean-deployer:2.0"> <application-policy xmlns="urn:jboss:security-beans:1.0" name="gatein-form-authdomain"> <authentication> <login-module code="org.gatein.wci.security.WCILoginModule" flag="optional"> <module-option name="portalContainerName">portal</module-option> <module-option name="realmName">gatein-domain</module-option> </login-module> <login-module code="org.exoplatform.services.security.jaas.SharedStateLoginModule" flag="required"> <module-option name="portalContainerName">portal</module-option> <module-option name="realmName">gatein-domain</module-option> </login-module> <!-- Uncomment this part to check on each login if user is member of "/platform/users" group and if not create such membership --> <!-- <login-module flag="required"> <module-option name="portalContainerName">portal</module-option> <module-option name="realmName">gatein-domain</module-option> <module-option name="membershipType">member</module-option> <module-option name="groupId">/platform/users</module-option> </login-module> --> <login-module code="org.exoplatform.services.security.j2ee.JbossLoginModule" flag="required"> <module-option name="portalContainerName">portal</module-option> <!-- logout needs to be performed from 'gatein-domain' as it is used for JaasSecurityManager. --> <module-option name="realmName">gatein-domain</module-option> </login-module> </authentication> </application-policy> <application-policy xmlns="urn:jboss:security-beans:1.0" name="gatein-domain"> <authentication> <login-module code="org.gatein.sso.spnego.SPNEGOLoginModule" flag="requisite"> <module-option name="password-stacking">useFirstPass</module-option> <module-option name="serverSecurityDomain">host</module-option> <module-option name="removeRealmFromPrincipal">true</module-option> <module-option name="usernamePasswordDomain">gatein-form-auth-domain</moduleoption> </login-module> <login-module code="org.gatein.sso.agent.login.SPNEGORolesModule" flag="required"> <module-option name="password-stacking">useFirstPass</module-option> <module-option name="portalContainerName">portal</module-option> <module-option name="realmName">gatein-domain</module-option> </login-module> </authentication> </application-policy> </deployment>
web.xml
as follows:<!-- <login-config> <auth-method>FORM</auth-method> <realm-name>gatein-domain</realm-name> <form-login-config> <form-login-page>/initiatelogin</form-login-page> <form-error-page>/errorlogin</form-error-page> </form-login-config> </login-config> --> <login-config> <auth-method>SPNEGO</auth-method> <realm-name>SPNEGO</realm-name> <form-login-config> <form-login-page>/initiatelogin</form-login-page> <form-error-page>/errorlogin</form-error-page> </form-login-config> </login-config>
web.xml
:<filter> <filter-name>LoginRedirectFilter</filter-name> <filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class> <init-param> <!-- This should point to your SSO authentication server --> <param-name>LOGIN_URL</param-name> <param-value>/portal/private/classic</param-value> </init-param> </filter> <filter> <filter-name>SPNEGOFilter</filter-name> <filter-class>org.gatein.sso.agent.filter.SPNEGOFilter</filter-class> </filter> <filter-mapping> <filter-name>LoginRedirectFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>SPNEGOFilter</filter-name> <url-pattern>/login</url-pattern> </filter-mapping>
JBOSS_HOME/server/default/deploy/gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtml
as follows:<!-- <a class="Login" onclick="$signInAction">< %=_ctx.appRes("UILoginForm.label.Signin")%></a> --> <a class="Login" href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
sudo ./run.sh -Djava.security.krb5.realm=LOCAL.NETWORK - Djava.security.krb5.kdc=server.local.network -c default -b server.local.network
server.local.network
value for your Kerberos configuration,In the first part of the configuration steps, we configured the application server to add the support to the new realm with the Kerberos keystore for the domain defined for the SPNEGO server.
We then changed the SSL configuration for the application server to support the security layer for SPNEGO.
In the next step, we added specific libraries taken from the GateIn SSO support package to use custom login modules and the SPNEGO agent.
We then changed the portal configuration for adding the authentication support for the new domain defined in SPNEGO. We also added the specific authentication filter to receive the needed requests against the new authentication process.
Finally, in the last steps we modified the HTML code for the login form to update the context path related to the link for the SSO mechanism that we have now enabled.
3.144.222.185