GateIn SPNEGO integration using JBoss Negotiation

This wiki page is outdated and deprecated. See SPNEGO documentation in  GateIn reference guide for latest instructions.

 

 

GateIn uses JBoss Negotiation to enable SPNEGO based desktop SSO for the Portal. Here are the steps to integrate SPNEGO with GateIn

 

Step 1: Activate the Host authentication

 

Under conf/login-config.xml, add the following host login module:

 

<!-- SPNEGO domain -->
  <application-policy name="host">
   <authentication>
      <login-module code="com.sun.security.auth.module.Krb5LoginModule"
         flag="required">
         <module-option name="storeKey">true</module-option>
         <module-option name="useKeyTab">true</module-option>                                                     
         <module-option name="principal">HTTP/server.local.network@LOCAL.NETWORK</module-option>             
         <module-option name="keyTab">/home/soshah/krb5keytabs/jboss.keytab</module-option>
         <module-option name="doNotPrompt">true</module-option>
         <module-option name="debug">true</module-option>
      </login-module>
   </authentication>
 </application-policy>

 

the 'keyTab' value should point to the keytab file that was generated by the kadmin kerberos tool. See the Setting up your Kerberos Development Environment guide for more details.

 

Step 2: Extend the core authentication mechanisms to support SPNEGO

 

Under deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml, add 'SPNEGO' authenticators property

 

<property name="authenticators">
         <map keyClass="java.lang.String" valueClass="java.lang.String">
            <entry>
               <key>BASIC</key>
               <value>org.apache.catalina.authenticator.BasicAuthenticator</value>
            </entry>
            <entry>
               <key>CLIENT-CERT</key>
               <value>org.apache.catalina.authenticator.SSLAuthenticator</value>
            </entry>
            <entry>
               <key>DIGEST</key>
               <value>org.apache.catalina.authenticator.DigestAuthenticator</value>
            </entry>
            <entry>
               <key>FORM</key>
               <value>org.apache.catalina.authenticator.FormAuthenticator</value>
            </entry>
            <entry>
               <key>NONE</key>
               <value>org.apache.catalina.authenticator.NonLoginAuthenticator</value>
            </entry>

        <!-- Add this entry -->
        <entry>
          <key>SPNEGO</key>
          <value>org.jboss.security.negotiation.NegotiationAuthenticator</value>
        </entry>
         </map>         
      </property>

 

Step 3: Add the JBoss Negotiation binary

 

copy jboss-negotiation-2.0.3.GA.jar to lib

 

Step 4: Add the Gatein SSO module binaries

 

Add sso-agent.jar, and sso-spnego.jar to deploy/gatein.ear/lib

 

Step 5: Activate SPNEGO LoginModule for GateIn

 

Modify deploy/gatein.ear/META-INF/gatein-jboss-beans.xml, so that it looks like this:

 

<deployment xmlns="urn:jboss:bean-deployer:2.0">


  <application-policy xmlns="urn:jboss:security-beans:1.0" name="gatein-domain">
    <!--
    <authentication>
      <login-module code="org.exoplatform.web.security.PortalLoginModule" flag="required">
        <module-option name="portalContainerName">portal</module-option>
        <module-option name="realmName">gatein-domain</module-option>
      </login-module>
      <login-module code="org.exoplatform.services.security.jaas.SharedStateLoginModule" flag="required">
        <module-option name="portalContainerName">portal</module-option>
        <module-option name="realmName">gatein-domain</module-option>
      </login-module>
      <login-module code="org.exoplatform.services.security.j2ee.JbossLoginModule" flag="required">
        <module-option name="portalContainerName">portal</module-option>
        <module-option name="realmName">gatein-domain</module-option>
      </login-module>
    </authentication>
    -->


    <!-- Uncomment this part (and comment the other part for CAS integration -->
    <!--
    <authentication>
      <login-module code="org.gatein.sso.agent.login.SSOLoginModule" flag="required">
      </login-module>      
      <login-module code="org.exoplatform.services.security.j2ee.JbossLoginModule" flag="required">
        <module-option name="portalContainerName">portal</module-option>
        <module-option name="realmName">gatein-domain</module-option>
      </login-module>
    </authentication>
    -->

    <!-- Uncomment this for Kerberos based SSO integration -->
    <authentication>
      <login-module
         code="org.gatein.sso.spnego.SPNEGOLoginModule"
         flag="requisite">
         <module-option name="password-stacking">useFirstPass</module-option>
         <module-option name="serverSecurityDomain">host</module-option>
      </login-module>      
      <login-module
         code="org.gatein.sso.agent.login.SPNEGORolesModule"
         flag="required">
      <module-option name="password-stacking">useFirstPass</module-option>
      <module-option name="portalContainerName">portal</module-option>
      <module-option name="realmName">gatein-domain</module-option>
      </login-module>      
   </authentication>
  </application-policy>

</deployment>

 

 

Step 6: Integrate SPNEGO support into the Portal web archive

 

Switch GateIn authentication mechanism from the default "FORM" based to "SPNEGO" based authentication as follows:

 

Modify gatein.ear/02portal.war/WEB-INF/web.xml

 

    <!--
    <login-config>
      <auth-method>FORM</auth-method> 
      <realm-name>gatein-domain</realm-name> 
        <form-login-config>
          <form-login-page>/initiatelogin</form-login-page> 
            <form-error-page>/errorlogin</form-error-page>
      </form-login-config>
    </login-config>
    -->
    <login-config>
      <auth-method>SPNEGO</auth-method>
      <realm-name>SPNEGO</realm-name>    
    </login-config>

 

 

Integrate request pre-processing needed for SPNEGO via filters. Add the following filters to the web.xml at the top of the Filter chain:

 

   <filter>
      <filter-name>LoginRedirectFilter</filter-name>
      <filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class>
      <init-param>                                 
        <!-- This should point to your SSO authentication server -->                                                                                              
        <param-name>LOGIN_URL</param-name>                                                                                                
        <param-value>/portal/private/classic</param-value>                                                                                                         
      </init-param>
    </filter>
    <filter>
        <filter-name>SPNEGOFilter</filter-name>
        <filter-class>org.gatein.sso.agent.filter.SPNEGOFilter</filter-class>
    </filter>
    
    <filter-mapping>
      <filter-name>LoginRedirectFilter</filter-name>
      <url-pattern>/*</url-pattern>             
    </filter-mapping>
    <filter-mapping>                                           
        <filter-name>SPNEGOFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

 

Step 7: Modify the Portal's 'Sign In' link to perform SPNEGO authentication

 

Modify the 'Sign In' link on gatein.war/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtmpl as follows:

 

<!--
<a onclick="$signInAction"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
-->
<a href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>

 

Step 8: Start the GateIn Portal

 

sudo ./run.sh -Djava.security.krb5.realm=LOCAL.NETWORK -Djava.security.krb5.kdc=server.local.network -c spnego -b server.local.network

 

Step 9: Login to Kerberos

 

kinit -A demo

 

You should be able to click the 'Sign In' link on the GateIn Portal and the 'demo' user from the GateIn portal should be automatically logged in