Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

5.8.2. Desktop SSO using SPNEGO

To configure the desktop SSO using SPNEGO configure the following:
  • Security Domain
  • System Properties
  • Web Application

Procedure 5.5. Configure Desktop SSO using SPNEGO

  1. Configure Security Domain

    Configure the security domains to represent the identity of the server and to secure the web application.

    Example 5.15. Security Domain Configuration

    <security-domains>

    <security-domain name="host" cache-type="default">

      <authentication>

        <login-module code="Kerberos" flag="required">

          <module-option name="storeKey" value="true"/>

          <module-option name="useKeyTab" value="true"/>

          <module-option name="principal" value="host/testserver@MY_REALM"/>

          <module-option name="keyTab" value="/home/username/service.keytab"/>

          <module-option name="doNotPrompt" value="true"/>

          <module-option name="debug" value="false"/>

        </login-module>

       </authentication>

     </security-domain>

   

     <security-domain name="SPNEGO" cache-type="default">

       <authentication>

         <login-module code="SPNEGO"  flag="requisite">

           <module-option name="password-stacking" value="useFirstPass"/>

           <module-option name="serverSecurityDomain" value="host"/>

         </login-module>


         <!-- Login Module For Roles Search -->

       </security-domain>
    Copy to Clipboard Toggle word wrap

  2. Setup the System Properties

    If required, the system properties can be set in the domain model.

    Example 5.16. Configure System Properties

    <system-properties>

      <property name="java.security.krb5.kdc" value="mykdc.mydomain"/>

      <property name="java.security.krb5.realm" value="MY_REALM"/>

    </system-properties>
    Copy to Clipboard Toggle word wrap

  3. Configure Web Application

    It is not possible to override the authenticators, but it is possible to add the NegotiationAuthenticator as a valve to your jboss-web.xml descriptor to configure the web application.

    Note

    The valve requires the security-constraint and login-config to be defined in the web.xml file as this is used to decide which resources are secured. However, the chosen auth-method is overridden by this authenticator.

    Example 5.17. Configure Web Application

     <!DOCTYPE jboss-web PUBLIC
  "-//JBoss//DTD Web Application 2.4//EN"
  "http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd">   

  <jboss-web>

    <security-domain>java:/jaas/SPNEGO</security-domain>

    <valve>

      <class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>

    </valve>

  </jboss-web>
    Copy to Clipboard Toggle word wrap
    The web application also requires a dependency defining in META-INF/MANIFEST.MF so that the JBoss Negotiation classes can be located.

    Example 5.18. Define Dependency in META-INF/MANIFEST.MF

        Manifest-Version: 1.0

    Build-Jdk: 1.6.0_24

    Dependencies: org.jboss.security.negotiation
    Copy to Clipboard Toggle word wrap
Report a bug
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat