Silent Domain Authorization in GlassFish
In this article, I will look at how you can implement silent domain authorization (Kerberos) on the GlassFish application server.
The test was conducted on a PC with Windows 7 Pro SP1 (64bit), JDK 1.7.0_25 (64bit) and GlassFish 4 (ver 89).
We will use the SPNEGO library . This article is actually a translation and adaptation of what you can find on the library page in English.
1) Make sure your server is in a domain.
2) Make sure that the application server (GlassFish) starts from the domain user
3) Make sure that you have the login and password from the specially wired domain user (I used the same user as in step 2)
4) Make sure HelloKDC.java
HelloKDC works correctly .java is a small application that allows us to understand whether everything is ready to start a flight and whether a flight is possible.
In this code, you need to add a few lines, namely:
Next, add the krb5.conf and login.conf files .
In my case, krb5.conf looks like this:
Where in the algorithms I added aes256-cts-hmac-sha1-96 to work correctly with Windows 7 clients.
My FQDN is different from the root, however I decided to add the root and the root KDC .
After starting HelloKDC, we should get a small report at the end of which should be written " Connection test successful. ".
1) Add the spnego.jar library directly to the directory with the glassfish libraries, namely GLASSFISH_HOME \ lib
2) We modify the default-web.xml file of the corresponding glassfish domain, it is located in the GLASSFISH_HOME \ domains \ <domain name> \ config folder
The modification is to add a servlet filter:
3) Copy the krb5.conf file (also in GLASSFISH_HOME \ domains \ <domain name> \ config)
4) Modify the login.conf file in GLASSFISH_HOME \ domains \ <domain name> \ config by adding the data from the previous login.conf ( what I did for HelloKDC)
5) Register the SPN
In my case, the machine name was smirnoff, the fully qualified name of the machine is smirnoff. <fully qualified domain name> and therefore I registered (more precisely registered LAN admins) 2 SPNs to the account name (which we entered into the HelloKDN source and in the servlet filter settings), namely
setspn -A HTTP / smirnoff <account name>
setspn -A HTTP / smirnoff. <fully qualified domain name> <account name>
Those. add a record with a full name and a short.
You can check the operation using a simple jsp page (jsp because we specified the * .jsp mask in the filter settings to intercept the request). Which we put for example in the docroot of our glassfish domain. When accessing the page, we should get the following text: Hello <your account name>!
Could not cope with the source code display.
I will be happy to answer questions in the comments to the article.
The test was conducted on a PC with Windows 7 Pro SP1 (64bit), JDK 1.7.0_25 (64bit) and GlassFish 4 (ver 89).
We will use the SPNEGO library . This article is actually a translation and adaptation of what you can find on the library page in English.
Preflight preparation
1) Make sure your server is in a domain.
2) Make sure that the application server (GlassFish) starts from the domain user
3) Make sure that you have the login and password from the specially wired domain user (I used the same user as in step 2)
4) Make sure HelloKDC.java
HelloKDC works correctly .java is a small application that allows us to understand whether everything is ready to start a flight and whether a flight is possible.
In this code, you need to add a few lines, namely:
// Domain (pre-authentication) account
final String username = "<Username from the third paragraph>";
// Password for the pre-auth acct.
final String password = "<Password from the user from the third paragraph>";
// Name of our krb5 config file
final String krbfile = "krb5.conf";
// Name of our login config file
final String loginfile = "login.conf";
// Name of our login module
final String module = "spnego-client";
Next, add the krb5.conf and login.conf files .
In my case, krb5.conf looks like this:
[libdefaults]
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts-hmac-a128 -hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
[ realms]
<root domain> = {
kdc = <KDC server domain name>
default_domain = <root domain>
}
[domain_realm]
. <root domain> = <root domain>
Where in the algorithms I added aes256-cts-hmac-sha1-96 to work correctly with Windows 7 clients.
My FQDN is different from the root, however I decided to add the root and the root KDC .
After starting HelloKDC, we should get a small report at the end of which should be written " Connection test successful. ".
Go!
1) Add the spnego.jar library directly to the directory with the glassfish libraries, namely GLASSFISH_HOME \ lib
2) We modify the default-web.xml file of the corresponding glassfish domain, it is located in the GLASSFISH_HOME \ domains \ <domain name> \ config folder
The modification is to add a servlet filter:
Spnegohttpfilter net.sourceforge.spnego.SpnegoHttpFilter spnego.allow.basic true spnego.allow.localhost true spnego.allow.unsecure.basic true spnego.login.client.module spnego-client spnego.krb5.conf krb5.conf spnego.login.conf login.conf spnego.preauth.username Username from HelloKDC spnego.preauth.password User Password from HelloKDC spnego.login.server.module spnego-server spnego.prompt.ntlm true spnego.logger.level 1 Spnegohttpfilter * .jsp
3) Copy the krb5.conf file (also in GLASSFISH_HOME \ domains \ <domain name> \ config)
4) Modify the login.conf file in GLASSFISH_HOME \ domains \ <domain name> \ config by adding the data from the previous login.conf ( what I did for HelloKDC)
5) Register the SPN
In my case, the machine name was smirnoff, the fully qualified name of the machine is smirnoff. <fully qualified domain name> and therefore I registered (more precisely registered LAN admins) 2 SPNs to the account name (which we entered into the HelloKDN source and in the servlet filter settings), namely
setspn -A HTTP / smirnoff <account name>
setspn -A HTTP / smirnoff. <fully qualified domain name> <account name>
Those. add a record with a full name and a short.
Work check
You can check the operation using a simple jsp page (jsp because we specified the * .jsp mask in the filter settings to intercept the request). Which we put for example in the docroot of our glassfish domain. When accessing the page, we should get the following text: Hello <your account name>!
Hello SPNEGO Example
Hello <%= request.getRemoteUser() %> !
PS
Could not cope with the source code display.
I will be happy to answer questions in the comments to the article.