This will be available in JBoss AS 7.0.0.CR1 or builds based on the latest source.
JBoss Negotiation is still JBoss Negotiation so the majority of the configuration is still the same as on previous JBoss AS releases, this article just highlights some of the differences.
Security Domains
As before two security domains are still required, one to represent the identity of the server and one to secure the web application - in JBoss AS7 these are defined in the domain model e.g.
<security-domains>
<security-domain name="host" cache-type="default">
<authentication>
<login-module code="Kerberos" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal" value="host/testserver@MY_REALM"/>
<module-option name="keyTab" value="/home/username/service.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="false"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
</login-module>
<!-- Login Module For Roles Search -->
</security-domain>
Here the security domain options are exactly the same as in previous JBoss AS releases, the only noteable difference is that the 'Code' attribute for each login-module can now use a simple name instead of the fully qualified class name used previously.
The following tables shows the name mapping used when working with JBoss Negotiation: -
| Simple Name | Class Name |
|---|---|
| Kerberos | com.sun.security.auth.module.Krb5LoginModule |
| SPNEGO | org.jboss.security.negotiation.spnego.SPNEGOLoginModule |
| AdvancedLdap | org.jboss.security.negotiation.AdvancedLdapLoginModule |
| AdvancedAdLdap | org.jboss.security.negotiation.AdvancedADLoginModule |
System Properties
Instead of a seperate deployment the system properties (if required) can now also be set in the domain model.
e.g.
<system-properties>
<property name="java.security.krb5.kdc" value="mykdc.mydomain"/>
<property name="java.security.krb5.realm" value="MY_REALM"/>
</system-properties>
Web Application
Within JBoss AS7 it is not possible to override the authenticators as before, however it is possible to just add the NegotiationAuthenticator as a valve to your jboss-web.xml descriptor to achieve the same effect.
e.g.
<!DOCTYPE jboss-web PUBLIC
"-//JBoss//DTD Web Application 2.4//EN"
"http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd"><jboss-web>
<security-domain>java:/jaas/SPNEGO</security-domain>
<valve>
<class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>
</valve>
</jboss-web>
Note - the valve still requirs the security-constraint and login-config to be defined in the web.xml as this is still used to decide which resources are secured - however the chosen auth-method will be overriden by this authenticator.
Finally the web application requires a dependency defining in META-INF/MANIFEST.MF so that the JBoss Negotiation classes can be located.
Manifest-Version: 1.0
Build-Jdk: 1.6.0_24
Dependencies: org.jboss.security.negotiation
JBoss Negotiation Toolkit
Attached to this article is a version of the JBoss Negotiation Toolkit for use with JBoss AS7 to allow you as before to test the different aspects of SPNEGO before introducing your own application.
Note - As the toolkit is intended for debugging if you look at the dependencies in the MANIFEST.MF you will see some additional dependencies defined, these are needed for the debugging features of the toolkit and are not normally needed for your own web application.
Comments