Silent Domain Authorization in GlassFish

    In this article, I will look at how you can implement silent domain authorization (Kerberos) on the GlassFish application server.
    The test was conducted on a PC with Windows 7 Pro SP1 (64bit), JDK 1.7.0_25 (64bit) and GlassFish 4 (ver 89).
    We will use the SPNEGO library . This article is actually a translation and adaptation of what you can find on the library page in English.


    Preflight preparation

    1) Make sure your server is in a domain.
    2) Make sure that the application server (GlassFish) starts from the domain user
    3) Make sure that you have the login and password from the specially wired domain user (I used the same user as in step 2)
    4) Make sure HelloKDC.java
    HelloKDC works correctly .java is a small application that allows us to understand whether everything is ready to start a flight and whether a flight is possible.
    In this code, you need to add a few lines, namely:

    // Domain (pre-authentication) account
    final String username = "<Username from the third paragraph>";

    // Password for the pre-auth acct.
    final String password = "<Password from the user from the third paragraph>";

    // Name of our krb5 config file
    final String krbfile = "krb5.conf";

    // Name of our login config file
    final String loginfile = "login.conf";

    // Name of our login module
    final String module = "spnego-client";


    Next, add the krb5.conf and login.conf files .
    In my case, krb5.conf looks like this:
    [libdefaults]
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    default_tgs_enctypes = aes256-cts-hmac-a128 -hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc

    [ realms]
    <root domain> = {
    kdc = <KDC server domain name>
    default_domain = <root domain>
    }

    [domain_realm]
    . <root domain> = <root domain>


    Where in the algorithms I added aes256-cts-hmac-sha1-96 to work correctly with Windows 7 clients.
    My FQDN is different from the root, however I decided to add the root and the root KDC .

    After starting HelloKDC, we should get a small report at the end of which should be written " Connection test successful. ".

    Go!

    1) Add the spnego.jar library directly to the directory with the glassfish libraries, namely GLASSFISH_HOME \ lib
    2) We modify the default-web.xml file of the corresponding glassfish domain, it is located in the GLASSFISH_HOME \ domains \ <domain name> \ config folder
    The modification is to add a servlet filter:

    Spnegohttpfilter
    net.sourceforge.spnego.SpnegoHttpFilter


    spnego.allow.basic
    true



    spnego.allow.localhost
    true



    spnego.allow.unsecure.basic
    true



    spnego.login.client.module
    spnego-client



    spnego.krb5.conf
    krb5.conf



    spnego.login.conf
    login.conf



    spnego.preauth.username
    Username from HelloKDC



    spnego.preauth.password
    User Password from HelloKDC



    spnego.login.server.module
    spnego-server



    spnego.prompt.ntlm
    true



    spnego.logger.level
    1




    Spnegohttpfilter
    * .jsp



    3) Copy the krb5.conf file (also in GLASSFISH_HOME \ domains \ <domain name> \ config)
    4) Modify the login.conf file in GLASSFISH_HOME \ domains \ <domain name> \ config by adding the data from the previous login.conf ( what I did for HelloKDC)
    5) Register the SPN
    In my case, the machine name was smirnoff, the fully qualified name of the machine is smirnoff. <fully qualified domain name> and therefore I registered (more precisely registered LAN admins) 2 SPNs to the account name (which we entered into the HelloKDN source and in the servlet filter settings), namely
    setspn -A HTTP / smirnoff <account name>
    setspn -A HTTP / smirnoff. <fully qualified domain name> <account name>
    Those. add a record with a full name and a short.

    Work check

    You can check the operation using a simple jsp page (jsp because we specified the * .jsp mask in the filter settings to intercept the request). Which we put for example in the docroot of our glassfish domain. When accessing the page, we should get the following text: Hello <your account name>!
    Hello SPNEGO Example

    Hello <%= request.getRemoteUser() %> !






    PS

    Could not cope with the source code display.
    I will be happy to answer questions in the comments to the article.

    Also popular now: