5.8.2. Desktop SSO using SPNEGO

Procedure 5.5. Configure Desktop SSO using SPNEGO

1. Configure Security Domain

   Configure the security domains to represent the identity of the server and to secure the web application.

   Example 5.15. Security Domain Configuration

   <security-domains>
   
       <security-domain name="host" cache-type="default">
   
         <authentication>
   
           <login-module code="Kerberos" flag="required">
   
             <module-option name="storeKey" value="true"/>
   
             <module-option name="useKeyTab" value="true"/>
   
             <module-option name="principal" value="host/testserver@MY_REALM"/>
   
             <module-option name="keyTab" value="/home/username/service.keytab"/>
   
             <module-option name="doNotPrompt" value="true"/>
   
             <module-option name="debug" value="false"/>
   
           </login-module>
   
          </authentication>
   
        </security-domain>
   
      
   
        <security-domain name="SPNEGO" cache-type="default">
   
          <authentication>
   
            <login-module code="SPNEGO"  flag="requisite">
   
              <module-option name="password-stacking" value="useFirstPass"/>
   
              <module-option name="serverSecurityDomain" value="host"/>
   
            </login-module>
   
   
            <!-- Login Module For Roles Search -->
   
          </security-domain>
   

   Copy to Clipboard Toggle word wrap

2. Setup the System Properties

   If required, the system properties can be set in the domain model.

   Example 5.16. Configure System Properties

   <system-properties>
   
         <property name="java.security.krb5.kdc" value="mykdc.mydomain"/>
   
         <property name="java.security.krb5.realm" value="MY_REALM"/>
   
       </system-properties>
   

   Copy to Clipboard Toggle word wrap

3. Configure Web Application

   It is not possible to override the authenticators, but it is possible to add the NegotiationAuthenticator as a valve to your jboss-web.xml descriptor to configure the web application.

   Note

   The valve requires the security-constraint and login-config to be defined in the web.xml file as this is used to decide which resources are secured. However, the chosen auth-method is overridden by this authenticator.

   Example 5.17. Configure Web Application

    <!DOCTYPE jboss-web PUBLIC
     "-//JBoss//DTD Web Application 2.4//EN"
     "http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd">   
   
     <jboss-web>
   
       <security-domain>java:/jaas/SPNEGO</security-domain>
   
       <valve>
   
         <class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>
   
       </valve>
   
     </jboss-web>
   

   Copy to Clipboard Toggle word wrap
   The web application also requires a dependency defining in META-INF/MANIFEST.MF so that the JBoss Negotiation classes can be located.

   Example 5.18. Define Dependency in META-INF/MANIFEST.MF

       Manifest-Version: 1.0
   
       Build-Jdk: 1.6.0_24
   
       Dependencies: org.jboss.security.negotiation
   

   Copy to Clipboard Toggle word wrap