JBossNegotiation

JBoss Negotiation

 

 

 

The JBoss Negotiation project provides a Tomcat authenticator and JAAS login module to add SPNEGO support to JBoss.

 

This project is a component of the JBoss Security and Identity Management Project.

 

GA release: http://www.jboss.org/index.html?module=bb&op=viewtopic&t=149589

(Includes code and user guide).

 

Download

 

PicketBox Downloads.

 

 

Support

 

For assistance using the authenticator please use the Security & JAAS/JBoss user forum.

 

For development discussions please use the Design of Security on JBoss forum.

 

Bugs and Features

 

Bugs and feature requests can be raised within the SECURITY project in Jira, please set the component to 'Negotiation'.

 

Source

 

The source for the authenticator and the documentation is held within subversion at the following locations: -

 

 

Additional Documentation

 

If you have any additional information you feel should be included in the documentation please feel free to add it here so it can be included in a subsequent release.

 

The following article contains the steps required on an all Windows domain: -

  http://www.jboss.org/community/wiki/ConfiguringJBossNegotiationinanallWindowsDomain

 

 

Diagram

SPNEGO.png

Typical use case described in the diagram.

  • Users logs into his desktop (Such as a Windows machine). The desktop login is governed by Active Directory domain.
  • User then uses his browser (IE/Firefox) to access a web application (that uses JBoss Negotiation) hosted on JBoss AS or JBoss EAP.
  • The Browser transfers the desktop sign on information to the web application.
  • JBoss EAP/AS uses background GSS messages with the Active Directory (or any Kerberos Server) to validate the user.
  • The User has seamless SSO into the web application.

 

Integration Material for other Projects/Products at JBoss:

GateIn Integration with JBoss Negotiation

Note:  If you want UNIX integration, then please look in the GateIn link above. (<= LINUX/UNIX)

 

Old SPNEGO/Kerberos Documentation

 

The old page discussing SPNEGO authentication can still be found at NegotiateKerberos.

 

Troubleshooting

* "[SPNEGOLoginModule] Unsupported negotiation mechanism 'NTLM'."

Basically the browser is falling back to deprecated NTLM mechanism and not the recommended SPNEGO mechanism.

 

References

 

JBossAS7/WildFly/EAP6 Kerberos : Look for NegotiationAuthenticatorValve https://community.jboss.org/wiki/AS7EAP6CustomAuthenticatorValves-WritingAndConfiguring