Another possible scenario for integrating GateIn using SSO in several infrastructures is related to the use of the SPNEGO mechanism. We will see how to configure GateIn for this type of integration.
SPNEGO stands for Simple and Protected GSSAPI Negotiation Mechanism and it provides an automatic way to check if the operating system or the application server supports NT LAN Manager (NTLM) or Kerberos to authenticate user sessions.
- Download the latest GateIn SSO support package from the following Maven repository location:
https://repository.jboss.org/nexus/content/groups/public/org/gatein/sso/sso-packaging
- The latest version available at the time of writing the book is 1.1.1-GA; it is downloadable from this URL:
- Extract the package in a folder in your filesystem.
- Download the latest GA version of
jboss-negotiationJAR (at the time of writing the book, it is 2.1.0.GA) from the following URL: https://repository.jboss.org/nexus/content/groups/public/org/jboss/security/jboss-negotiation/ - We assume that you have correctly configured an SPNEGO server on your environment.
Let's start to configure GateIn with SPNEGO as follows:
- Locate the
login-config.xmlfile in this path:JBOSS_HOME/server/default/conf - Add the following snippet:
<!-- SPNEGO domain --> <application-policy name="host"> <authentication> <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required"> <module-option name="storeKey">true</module-option> <module-option name="useKeyTab">true</module-option> <module-option name="principal">HTTP/[email protected]</ module-option> <module-option name="keyTab">/etc/krb5.keytab</module-option> <module-option name="doNotPrompt">true</module-option> <module-option name="debug">true</module-option> </login-module> </authentication> </application-policy>
- The
keyTabparameter must be generated by thekadmintool. If you are using Linux, this parameter must have the same value that you set in thekdc.conf. - Locate the file
JBOSS_HOME/server/default/deployers/jbossweb.deployer/META-INF/wardeployers-jboss-beans.xmland change it to the following:<deployment xmlns="urn:jboss:bean-deployer:2.0"> <property name="authenticators"> <map class="java.util.Properties" keyClass="java.lang.String" valueClass="java.lang.String"> <entry> <key>BASIC</key> <value>org.apache.catalina.authenticator.BasicAuthenticator</value> </entry> <entry> <key>CLIENT-CERT</key> <value>org.apache.catalina.authenticator.SSLAuthenticator</value> </entry> <entry> <key>DIGEST</key> <value>org.apache.catalina.authenticator.DigestAuthenticator</value> </entry> <entry> <key>FORM</key> <value>org.apache.catalina.authenticator.FormAuthenticator</value> </entry> <entry> <key>NONE</key> <value>org.apache.catalina.authenticator.NonLoginAuthenticator</value> </entry> <!-- Add this entry --> <entry> <key>SPNEGO</key> <value>org.gatein.sso.spnego.GateInNegotiationAuthenticator</value> </entry> </map> </property>
- Copy
sso-agent-VERSION.jar: fromGATEIN_SSO_HOME/spnego/gatein.ear/libtoJBOSS_HOME/server/default/deploy/gatein.ear/lib. - Copy
spnego-VERSION.jar:fromGATEIN_SSO_HOME/spnego/gatein.ear/libtoJBOSS_HOME/server/default/lib. - Copy the
jboss-negotiation-VERSION.jarfile inJBOSS_HOME/server/default/lib. - Change the file
gatein-jboss-beans.xmlthat is included in the pathJBOSS_HOME/server/defaut/deploy/gatein.ear/META-INFas follows:<deployment xmlns="urn:jboss:bean-deployer:2.0"> <application-policy xmlns="urn:jboss:security-beans:1.0" name="gatein-form-authdomain"> <authentication> <login-module code="org.gatein.wci.security.WCILoginModule" flag="optional"> <module-option name="portalContainerName">portal</module-option> <module-option name="realmName">gatein-domain</module-option> </login-module> <login-module code="org.exoplatform.services.security.jaas.SharedStateLoginModule" flag="required"> <module-option name="portalContainerName">portal</module-option> <module-option name="realmName">gatein-domain</module-option> </login-module> <!-- Uncomment this part to check on each login if user is member of "/platform/users" group and if not create such membership --> <!-- <login-module flag="required"> <module-option name="portalContainerName">portal</module-option> <module-option name="realmName">gatein-domain</module-option> <module-option name="membershipType">member</module-option> <module-option name="groupId">/platform/users</module-option> </login-module> --> <login-module code="org.exoplatform.services.security.j2ee.JbossLoginModule" flag="required"> <module-option name="portalContainerName">portal</module-option> <!-- logout needs to be performed from 'gatein-domain' as it is used for JaasSecurityManager. --> <module-option name="realmName">gatein-domain</module-option> </login-module> </authentication> </application-policy> <application-policy xmlns="urn:jboss:security-beans:1.0" name="gatein-domain"> <authentication> <login-module code="org.gatein.sso.spnego.SPNEGOLoginModule" flag="requisite"> <module-option name="password-stacking">useFirstPass</module-option> <module-option name="serverSecurityDomain">host</module-option> <module-option name="removeRealmFromPrincipal">true</module-option> <module-option name="usernamePasswordDomain">gatein-form-auth-domain</moduleoption> </login-module> <login-module code="org.gatein.sso.agent.login.SPNEGORolesModule" flag="required"> <module-option name="password-stacking">useFirstPass</module-option> <module-option name="portalContainerName">portal</module-option> <module-option name="realmName">gatein-domain</module-option> </login-module> </authentication> </application-policy> </deployment>
- Change the GateIn portal application
web.xmlas follows:<!-- <login-config> <auth-method>FORM</auth-method> <realm-name>gatein-domain</realm-name> <form-login-config> <form-login-page>/initiatelogin</form-login-page> <form-error-page>/errorlogin</form-error-page> </form-login-config> </login-config> --> <login-config> <auth-method>SPNEGO</auth-method> <realm-name>SPNEGO</realm-name> <form-login-config> <form-login-page>/initiatelogin</form-login-page> <form-error-page>/errorlogin</form-error-page> </form-login-config> </login-config>
- Add the SPNEGO filters in the
web.xml:<filter> <filter-name>LoginRedirectFilter</filter-name> <filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class> <init-param> <!-- This should point to your SSO authentication server --> <param-name>LOGIN_URL</param-name> <param-value>/portal/private/classic</param-value> </init-param> </filter> <filter> <filter-name>SPNEGOFilter</filter-name> <filter-class>org.gatein.sso.agent.filter.SPNEGOFilter</filter-class> </filter> <filter-mapping> <filter-name>LoginRedirectFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>SPNEGOFilter</filter-name> <url-pattern>/login</url-pattern> </filter-mapping>
- Update the Sign in link modifying the template
JBOSS_HOME/server/default/deploy/gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtmlas follows:<!-- <a class="Login" onclick="$signInAction">< %=_ctx.appRes("UILoginForm.label.Signin")%></a> --> <a class="Login" href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a> - Now you have completed all the configuration settings.
- Finally, remember to start GateIn using the following command with security settings:
sudo ./run.sh -Djava.security.krb5.realm=LOCAL.NETWORK - Djava.security.krb5.kdc=server.local.network -c default -b server.local.network
- Set the correct
server.local.networkvalue for your Kerberos configuration,
In the first part of the configuration steps, we configured the application server to add the support to the new realm with the Kerberos keystore for the domain defined for the SPNEGO server.
We then changed the SSL configuration for the application server to support the security layer for SPNEGO.
In the next step, we added specific libraries taken from the GateIn SSO support package to use custom login modules and the SPNEGO agent.
We then changed the portal configuration for adding the authentication support for the new domain defined in SPNEGO. We also added the specific authentication filter to receive the needed requests against the new authentication process.
Finally, in the last steps we modified the HTML code for the login form to update the context path related to the link for the SSO mechanism that we have now enabled.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.