This wiki page is outdated and deprecated. See SPNEGO documentation in  GateIn reference guide for latest instructions.

GateIn uses JBoss Negotiation to enable SPNEGO based desktop SSO for the Portal. Here are the steps to integrate SPNEGO with GateIn

Step 1: Activate the Host authentication

Under conf/login-config.xml, add the following host login module:

<!-- SPNEGO domain -->
  <application-policy name="host">
   <authentication>
      <login-module code="com.sun.security.auth.module.Krb5LoginModule"
         flag="required">
         <module-option name="storeKey">true</module-option>
         <module-option name="useKeyTab">true</module-option>                                                     
         <module-option name="principal">HTTP/server.local.network@LOCAL.NETWORK</module-option>             
         <module-option name="keyTab">/home/soshah/krb5keytabs/jboss.keytab</module-option>
         <module-option name="doNotPrompt">true</module-option>
         <module-option name="debug">true</module-option>
      </login-module>
   </authentication>
 </application-policy>

the 'keyTab' value should point to the keytab file that was generated by the kadmin kerberos tool. See the Setting up your Kerberos Development Environment guide for more details.

Step 2: Extend the core authentication mechanisms to support SPNEGO

Under deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml, add 'SPNEGO' authenticators property

<property name="authenticators">
         <map keyClass="java.lang.String" valueClass="java.lang.String">
            <entry>
               <key>BASIC</key>
               <value>org.apache.catalina.authenticator.BasicAuthenticator</value>
            </entry>
            <entry>
               <key>CLIENT-CERT</key>
               <value>org.apache.catalina.authenticator.SSLAuthenticator</value>
            </entry>
            <entry>
               <key>DIGEST</key>
               <value>org.apache.catalina.authenticator.DigestAuthenticator</value>
            </entry>
            <entry>
               <key>FORM</key>
               <value>org.apache.catalina.authenticator.FormAuthenticator</value>
            </entry>
            <entry>
               <key>NONE</key>
               <value>org.apache.catalina.authenticator.NonLoginAuthenticator</value>
            </entry>

        <!-- Add this entry -->
        <entry>
          <key>SPNEGO</key>
          <value>org.jboss.security.negotiation.NegotiationAuthenticator</value>
        </entry>
         </map>         
      </property>

Step 3: Add the JBoss Negotiation binary

copy jboss-negotiation-2.0.3.GA.jar to lib

Step 4: Add the Gatein SSO module binaries

Add sso-agent.jar, and sso-spnego.jar to deploy/gatein.ear/lib

Step 5: Activate SPNEGO LoginModule for GateIn

Modify deploy/gatein.ear/META-INF/gatein-jboss-beans.xml, so that it looks like this:

<deployment xmlns="urn:jboss:bean-deployer:2.0">


  <application-policy xmlns="urn:jboss:security-beans:1.0" name="gatein-domain">
    <!--
    <authentication>
      <login-module code="org.exoplatform.web.security.PortalLoginModule" flag="required">
        <module-option name="portalContainerName">portal</module-option>
        <module-option name="realmName">gatein-domain</module-option>
      </login-module>
      <login-module code="org.exoplatform.services.security.jaas.SharedStateLoginModule" flag="required">
        <module-option name="portalContainerName">portal</module-option>
        <module-option name="realmName">gatein-domain</module-option>
      </login-module>
      <login-module code="org.exoplatform.services.security.j2ee.JbossLoginModule" flag="required">
        <module-option name="portalContainerName">portal</module-option>
        <module-option name="realmName">gatein-domain</module-option>
      </login-module>
    </authentication>
    -->


    <!-- Uncomment this part (and comment the other part for CAS integration -->
    <!--
    <authentication>
      <login-module code="org.gatein.sso.agent.login.SSOLoginModule" flag="required">
      </login-module>      
      <login-module code="org.exoplatform.services.security.j2ee.JbossLoginModule" flag="required">
        <module-option name="portalContainerName">portal</module-option>
        <module-option name="realmName">gatein-domain</module-option>
      </login-module>
    </authentication>
    -->

    <!-- Uncomment this for Kerberos based SSO integration -->
    <authentication>
      <login-module
         code="org.gatein.sso.spnego.SPNEGOLoginModule"
         flag="requisite">
         <module-option name="password-stacking">useFirstPass</module-option>
         <module-option name="serverSecurityDomain">host</module-option>
      </login-module>      
      <login-module
         code="org.gatein.sso.agent.login.SPNEGORolesModule"
         flag="required">
      <module-option name="password-stacking">useFirstPass</module-option>
      <module-option name="portalContainerName">portal</module-option>
      <module-option name="realmName">gatein-domain</module-option>
      </login-module>      
   </authentication>
  </application-policy>

</deployment>

Step 6: Integrate SPNEGO support into the Portal web archive

Switch GateIn authentication mechanism from the default "FORM" based to "SPNEGO" based authentication as follows:

Modify gatein.ear/02portal.war/WEB-INF/web.xml

    <!--
    <login-config>
      <auth-method>FORM</auth-method> 
      <realm-name>gatein-domain</realm-name> 
        <form-login-config>
          <form-login-page>/initiatelogin</form-login-page> 
            <form-error-page>/errorlogin</form-error-page>
      </form-login-config>
    </login-config>
    -->
    <login-config>
      <auth-method>SPNEGO</auth-method>
      <realm-name>SPNEGO</realm-name>    
    </login-config>

Integrate request pre-processing needed for SPNEGO via filters. Add the following filters to the web.xml at the top of the Filter chain:

   <filter>
      <filter-name>LoginRedirectFilter</filter-name>
      <filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class>
      <init-param>                                 
        <!-- This should point to your SSO authentication server -->                                                                                              
        <param-name>LOGIN_URL</param-name>                                                                                                
        <param-value>/portal/private/classic</param-value>                                                                                                         
      </init-param>
    </filter>
    <filter>
        <filter-name>SPNEGOFilter</filter-name>
        <filter-class>org.gatein.sso.agent.filter.SPNEGOFilter</filter-class>
    </filter>
    
    <filter-mapping>
      <filter-name>LoginRedirectFilter</filter-name>
      <url-pattern>/*</url-pattern>             
    </filter-mapping>
    <filter-mapping>                                           
        <filter-name>SPNEGOFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

Step 7: Modify the Portal's 'Sign In' link to perform SPNEGO authentication

Modify the 'Sign In' link on gatein.war/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtmpl as follows:

<!--
<a onclick="$signInAction"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
-->
<a href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>

Step 8: Start the GateIn Portal

sudo ./run.sh -Djava.security.krb5.realm=LOCAL.NETWORK -Djava.security.krb5.kdc=server.local.network -c spnego -b server.local.network

Step 9: Login to Kerberos

kinit -A demo

You should be able to click the 'Sign In' link on the GateIn Portal and the 'demo' user from the GateIn portal should be automatically logged in