3 Replies Latest reply on May 19, 2009 6:31 AM by dlofthouse

Bringing JBoss Negotiation to JBoss Portal

dlofthouse May 18, 2009 10:38 AM

Following on from the vote from Thomas I have been working on the following issue to enable SPNEGO authentication with JBoss Portal: -

https://jira.jboss.org/jira/browse/SECURITY-353

In general apart from a couple of small exceptions the majority of this relates to configuration, the purpose of this thread is to identify these changes and decide the way forward to allow this integration to be used.

This work so far has been against the latest code in JBoss_Portal_Branch_2_7.

JBoss Negotiation itself is a pluggable authenticator to make plugging it into existing web applications fairly simple, for the Portal integration I have needed to extend this to be able to call: -

request.setAttribute("ssoEnabled", "true");

This is to change the 'Login' link to only perform a redirect without prompting the user for their password.

When using SPNEGO the client does not pass in their username instead this is identified as part of the negotiation process, I have extended the 'IdentityLoginModule' to override how the username is obtained so if this module is chained after the SPNEGOLoginModule the users identity can be established.

The final code change is that I have extended the 'LDAPExtUserModuleImpl' so that I can override the 'validatePassword' method to return true is the SPNEGO process was successful.

Beyond this everything is achieved using configuration and the existing approach that would be used for Active Directory can be followed.

The real question is how should this be provided for users to install?

My opinion is that this should be an integration library distributed with JBoss Negotiation as to get this to work it is essential to get JBoss Negotiation configured first, then enabling for Portal is fairly simple.

If we take this approach I can then add a new chapter to the JBoss Negotiation user guide to be followed after the preceding chapters.

One thing I will need for the build is to get the 'portal-identity-lib.jar' available from the Maven repository, if we can agree a group and artifact ID can we get version 1.0.8 of this jar in the repo?

Beyond this I still need to work on a fallback mechanism for username/password based authentication - once that is available then maybe any integration code could move across to Portal?

1. Re: Bringing JBoss Negotiation to JBoss Portal

theute May 18, 2009 3:57 PM (in response to dlofthouse)

Awesome !

The latest published identity component is 1.0.7 and published here:
http://repository.jboss.com/maven2/org/jboss/portal/identity/identity-identity/1.0.7/

we can publish 1.0.8 as well

Will ping Bolek to look at this thread. We need to make the integration as easy as possible :)
Actions
2. Re: Bringing JBoss Negotiation to JBoss Portal

bdaw May 19, 2009 4:18 AM (in response to dlofthouse)

Darran,

ping me directly if you need any kind of assistance for this from the portal side. We are more than open to add tweaks you need into portal codebase. From what you say it seems we need to have separate version of IdentityLoginModule that extends LDAPExtUserModuleImpl to perform auth against MSAD. I think it is fine to have such version but as it will be maintained by us we'll need to have a way to test it. Do you have any kind of automation tests for JBoss Negotiation that we could reuse? Even if not I will need to cach up on setting up JBoss Negotiation so we can make it part of our QA in the future.
Actions
3. Re: Bringing JBoss Negotiation to JBoss Portal

dlofthouse May 19, 2009 6:31 AM (in response to dlofthouse)

"thomas.heute@jboss.com" wrote:

The latest published identity component is 1.0.7 and published here:
http://repository.jboss.com/maven2/org/jboss/portal/identity/identity-identity/1.0.7/

Thanks Thomas, I will try that version first, it is a fairly small compile time dependency on a couple of classes that are extended.

Bolek - I will ping you directly regarding the QA as there are some other discussions ongoing relating to machines to use for this, an issue with testing JBoss Negotiation is that it is dependent on having KDCs and web browsers correctly configured.

In the meantime the code that I needed to override can be seen here: -

http://anonsvn.jboss.org/repos/jbossas/projects/security/security-negotiation/branches/SECURITY-353/jboss-negotiation-portal/src/main/java/org/jboss/security/negotiation/portal/

The PortalAuthenticator is the smallest change, if there was an alternative way to disable the pop up for the username and password that would also work.

The next class is the 'NegotiationUserModuleImpl' and this is only a small change to 'LDAPExtUserModuleImpl' to override the 'validatePassword()' method. The overall integration is dependent on the login module from JBoss Negotiation being called before the login module for JBoss Porta - this change to 'validatePassword()' just double checks that the first module was successful.

The final extension was in 'PortalIdentityLoginModule' where I needed to retrieve the username identified as part of the negotiation process, for this change I do need to review further if I can find an alternative way to switch the username.
Actions

Go to original post