Este contenido no está disponible en el idioma seleccionado.
17.8. Configure Kerberos or Microsoft Active Directory Desktop SSO for Web Applications
To authenticate your web or EJB applications using your organization's existing Kerberos-based authentication and authorization infrastructure, such as Microsoft Active Directory, you can use the JBoss Negotiation capabilities built into JBoss EAP 6. If you configure your web application properly, a successful desktop or network login is sufficient to transparently authenticate against your web application, so no additional login prompt is required.
There are a few noticeable differences between JBoss EAP 6 and earlier versions:
- Security domains are configured for each profile of a managed domain, or for each standalone server. They are not part of the deployment itself. The security domain a deployment should use is named in the deployment'sjboss-web.xmlorjboss-ejb3.xmlfile.
- Security properties are configured as part of a security domain. They are not part of the deployment.
- You can no longer override the authenticators as part of your deployment. However, you can add a NegotiationAuthenticator valve to yourjboss-web.xmldescriptor to achieve the same effect. The valve still requires the<security-constraint>and<login-config>elements to be defined in theweb.xml. These are used to decide which resources are secured. However, the chosen auth-method will be overridden by the NegotiationAuthenticator valve in thejboss-web.xml.
- TheCODEattributes in security domains now use a simple name instead of a fully-qualified class name. The following table shows the mappings between the classes used for JBoss Negotiation, and their classes.
| Simple Name | Class Name | Purpose | 
|---|---|---|
| Kerberos | 
						com.sun.security.auth.module.Krb5LoginModule
					 
						com.ibm.security.auth.module.Krb5LoginModule
					 | 
						Kerberos login module when using the Oracle JDK
					 
						Kerberos login module when using the IBM JDK
					 | 
| SPNEGO | org.jboss.security.negotiation.spnego.SPNEGOLoginModule | The mechanism which enables your Web applications to authenticate to your Kerberos authentication server. | 
| AdvancedLdap | org.jboss.security.negotiation.AdvancedLdapLoginModule | Used with LDAP servers other than Microsoft Active Directory. | 
| AdvancedAdLdap | org.jboss.security.negotiation.AdvancedADLoginModule | Used with Microsoft Active Directory LDAP servers. | 
			The JBoss Negotiation Toolkit is a debugging tool which is available for download from https://community.jboss.org/servlet/JiveServlet/download/16876-2-34629/jboss-negotiation-toolkit.war. It is provided as an extra tool to help you to debug and test the authentication mechanisms before introducing your application into production. It is an unsupported tool, but is considered to be very helpful, as SPNEGO can be difficult to configure for web applications.
		
Procedure 17.1. Setup SSO Authentication for your Web or EJB Applications
- Configure one security domain to represent the identity of the server. Set system properties if necessary. The first security domain authenticates the container itself to the directory service. It needs to use a login module which accepts some type of static login mechanism, because a real user is not involved. This example uses a static principal and references a keytab file which contains the credential.The XML code is given here for clarity, but you should use the Management Console or Management CLI to configure your security domains.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Configure a second security domain to secure the web application or applications. Set system properties if necessary. The second security domain is used to authenticate the individual user to the Kerberos or SPNEGO authentication server. You need at least one login module to authenticate the user, and another to search for the roles to apply to the user. The following XML code shows an example SPNEGO security domain. It includes an authorization module to map roles to individual users. You can also use a module which searches for the roles on the authentication server itself.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Specify the security-constraint and login-config in the - web.xmlThe- web.xmldescriptor contain information about security constraints and login configuration. The following are example values for each.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Specify the security domain and other settings in the - jboss-web.xmldescriptor.Specify the name of the client-side security domain (the second one in this example) in the- jboss-web.xmldescriptor of your deployment, to direct your application to use this security domain.You can no longer override authenticators directly. Instead, you can add the NegotiationAuthenticator as a valve to your- jboss-web.xmldescriptor, if you need to. The- <jacc-star-role-allow>allows you to use the asterisk (*) character to match multiple role names, and is optional.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add a dependency to your application's - MANIFEST.MF, to locate the Negotiation classes.The web application needs a dependency on class- org.jboss.security.negotiationto be added to the deployment's- META-INF/MANIFEST.MFmanifest, in order to locate the JBoss Negotiation classes. The following shows a properly-formatted entry.- Manifest-Version: 1.0 Build-Jdk: 1.6.0_24 Dependencies: org.jboss.security.negotiation - Manifest-Version: 1.0 Build-Jdk: 1.6.0_24 Dependencies: org.jboss.security.negotiation- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - As an alternative, add a dependency to your application by editing theMETA-INF/jboss-deployment-structure.xmlfile:Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
 
Your web application accepts and authenticates credentials against your Kerberos, Microsoft Active Directory, or other SPNEGO-compatible directory service. If the user runs the application from a system which is already logged into the directory service, and where the required roles are already applied to the user, the web application does not prompt for authentication, and SSO capabilities are achieved.