SlideShare a Scribd company logo

JBoss Negotiation in AS7

Josef Cacek, profile picture
Josef Cacek

This document provides an overview of configuring Kerberos authentication for JBoss Application Server 7 (AS7). It discusses the necessary technologies, including Kerberos and SPNEGO. It then describes how to configure the JBoss AS for Kerberos authentication through standalone.xml, set up a sample web application with security constraints, and configure clients. Several common pitfalls are also outlined, such as ensuring service principal names follow the correct format and properly configuring IPv6 and IBM Java implementations.

Technology
1 of 23
Downloaded 40 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
JBoss Negotiation in AS7 Get Kerberos authentication working Josef Cacek Senior QE Engineer, Red Hat DevConf 2013
Agenda  Technologies introduction  Quickstart  Configuration  Troubleshooting
JBoss Negotiation in AS7
Introduction: Kerberos  ticket based network authentication protocol
JBoss Negotiation  Negotiation (SPNEGO) support for JBoss AS ● protocols ● Kerberos ● NTLM ● components ● authenticator – a JBoss Web valve ● JAAS Login modules ● toolkit to check the configuration
Quickstart https://github.com/kwart/spnego-demo https://github.com/kwart/kerberos-using-apacheds
JBoss AS configuration $JBOSS_HOME/standalone/configuration/standalone.xml
standalone.xml – security domains (1) <security-domain name="host" cache-type="default"> <authentication>     <login-module code="Kerberos" flag="required">       <module-option name="debug" value="true"/>       <module-option name="storeKey" value="true"/>       <module-option name="refreshKrb5Config" value="true"/>       <module-option name="useKeyTab" value="true"/>       <module-option name="doNotPrompt" value="true"/>       <module option ‑ name="keyTab"         value="/path/to/http.keytab"/>       <module-option name="principal"         value="HTTP/localhost@JBOSS.ORG"/>     </login-module>   </authentication> </security-domain>
standalone.xml – security domains (2) <security-domain name="SPNEGO" cache-type="default"> <authentication>     <login-module code="SPNEGO" flag="required">       <module-option name="serverSecurityDomain"         value="host"/>     </login-module>   </authentication>   <mapping>     <mapping-module code="SimpleRoles" type="role">       <module-option name="jduke@JBOSS.ORG" value="Admin"/>       <module-option name="hnelson@JBOSS.ORG" value="User"/> </mapping-module>   </mapping> </security-domain>
standalone.xml – Kerberos related system properties <system-properties> <property name="java.security.krb5.conf" value="/path/to/krb5.conf"/> <property name="java.security.krb5.debug" value="true"/> <property name="jboss.security.disable.secdomain.option" value="true"/> </system-properties>
Web application configuration
WAR – Web archive
WEB-INF/web.xml  define your security constraints and roles <security-constraint>   <web-resource-collection>     <web-resource-name>Admin Data</web-resource-name>     <url-pattern>/admin/*</url-pattern>   </web-resource-collection>   <auth-constraint>     <role-name>Admin</role-name>   </auth-constraint> </security-constraint> <security-role>   <role-name>Admin</role-name> </security-role>
 security domain  custom authenticator <jboss-web> <security-domain>SPNEGO</security-domain> <valve>         <class name‑ >org.jboss.security.negoti ation.NegotiationAuthenticator</class-name> </valve> </jboss-web> WEB-INF/jboss-web.xml
META-INF/jboss-deployment-structure.xml  define module dependencies <jboss-deployment-structure> <deployment> <dependencies> <module name="org.jboss.security.negotiation" /> </dependencies> </deployment> </jboss-deployment-structure>
Client configuration
krb5.conf  configure the realm [libdefaults] default_realm = MY-COMPANY.CZ [realms] MY-COMPANY.CZ = { kdc = kerberos.my-company.cz:688 } [domain_realm] .my-company.cz = MY-COMPANY.CZ  Use KRB5_CONFIG environment variable if you don't want to change system wide /etc/krb5.conf $ export KRB5_CONFIG=/path/to/krb5.conf
Browser configuration – allow negotiation for the domain  Firefox – use about:config in the address bar network.negotiate-auth.delegation-uris=.my-company.cz network.negotiate-auth.trusted-uris =.my-company.cz  Chromium $ chromium-browser > --auth-server-whitelist=.my-company.cz > --auth-negotiate-delegate-whitelist=.my-company.cz
And if it still doesn't work …
Pitfalls – principal names  The Service Principal Name (SPN) must follow the rule <service type> / <hostname> @ <realm> For the request http://my-server.my-company.cz/ use SPN: HTTP/my-server.my-company.cz@MYCOMP.CZ  Mixing IPs and hostnames usually doesn't work: HTTP/localhost@MYCOMP.CZ http://127.0.0.1/
Pitfalls - IPv6  HTTP: ● http://[0:0:0:0:0:0:0:1]:8080/my-app/ ● HTTP/[0:0:0:0:0:0:0:1]@JBOSS.ORG  LDAP (can be used for role-mapping): ● ldap://[0:0:0:0:0:0:0:1]:389 ● ldap/0:0:0:0:0:0:0:1@JBOSS.ORG
Pitfalls - IBM Java  host's login module <login-module code="com.ibm.security.auth.module.Krb5LoginModule" flag="required" > ● module options are not the same!  krb5.conf – check [libdefaults] section ● encryption support ● default_tgs_enctypes ● default_tkt_enctypes ● allow_weak_crypto ● forwardable ticktet when a client uses Krb5LoginModule ● forwardable = true
Thank you.

More Related Content

PDF
JBoss AS 7 따라잡기
jbugkorea
 
PDF
Undertow 맛보기
jbugkorea
 
PPTX
Introduction to Wildfly 8 - Marchioni
Codemotion
 
PPTX
Jboss App Server
acosdt
 
PDF
JBoss at Work: Using JBoss AS 6
Saltmarch Media
 
PDF
JBoss Enterprise Application Platform 6 Troubleshooting
Alexandre Cavalcanti
 
PDF
Devoxx 2013, WildFly BOF
Dimitris Andreadis
 
PDF
WildFly AppServer - State of the Union
Dimitris Andreadis
 
JBoss AS 7 따라잡기
jbugkorea
 
Undertow 맛보기
jbugkorea
 
Introduction to Wildfly 8 - Marchioni
Codemotion
 
Jboss App Server
acosdt
 
JBoss at Work: Using JBoss AS 6
Saltmarch Media
 
JBoss Enterprise Application Platform 6 Troubleshooting
Alexandre Cavalcanti
 
Devoxx 2013, WildFly BOF
Dimitris Andreadis
 
WildFly AppServer - State of the Union
Dimitris Andreadis
 

What's hot (20)

PDF
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
Dimitris Andreadis
 
PDF
WildFly BOF and V9 update @ Devoxx 2014
Dimitris Andreadis
 
PPT
J boss
jrfx448
 
PPTX
JBoss AS 7
C2B2 Consulting
 
PDF
Introduction to Role Based Administration in WildFly 8
Dimitris Andreadis
 
PDF
Turn you Java EE Monoliths into Microservices with WildFly Swarm
Dimitris Andreadis
 
PPTX
Javascript Bundling and modularization
stbaechler
 
PDF
JBoss EAP / WildFly, State of the Union
Dimitris Andreadis
 
PDF
JBoss started guide
franarayah
 
PDF
JBoss Fuse - Fuse workshop EAP container
Christina Lin
 
KEY
JBoss AS7 Overview
JBug Italy
 
PPTX
Jboss Tutorial Basics
Anandraj Kulkarni
 
PPTX
JBOSS Training
mindmajixtrainings
 
PDF
Cli jbug
maeste
 
ODP
GlassFish and JavaEE, Today and Future
Alexis Moussine-Pouchkine
 
PDF
Asadmin Webinar 12 Feb 2009
Eduardo Pelegri-Llopart
 
PDF
Jolokia - JMX on Capsaicin (Devoxx 2011)
roland.huss
 
PDF
Angular2 ecosystem
Kamil Lelonek
 
PDF
Node.js in a heterogeneous system
GeeksLab Odessa
 
PDF
Embedding GlassFish v3 in Ehcache Server
Eduardo Pelegri-Llopart
 
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
Dimitris Andreadis
 
WildFly BOF and V9 update @ Devoxx 2014
Dimitris Andreadis
 
J boss
jrfx448
 
JBoss AS 7
C2B2 Consulting
 
Introduction to Role Based Administration in WildFly 8
Dimitris Andreadis
 
Turn you Java EE Monoliths into Microservices with WildFly Swarm
Dimitris Andreadis
 
Javascript Bundling and modularization
stbaechler
 
JBoss EAP / WildFly, State of the Union
Dimitris Andreadis
 
JBoss started guide
franarayah
 
JBoss Fuse - Fuse workshop EAP container
Christina Lin
 
JBoss AS7 Overview
JBug Italy
 
Jboss Tutorial Basics
Anandraj Kulkarni
 
JBOSS Training
mindmajixtrainings
 
Cli jbug
maeste
 
GlassFish and JavaEE, Today and Future
Alexis Moussine-Pouchkine
 
Asadmin Webinar 12 Feb 2009
Eduardo Pelegri-Llopart
 
Jolokia - JMX on Capsaicin (Devoxx 2011)
roland.huss
 
Angular2 ecosystem
Kamil Lelonek
 
Node.js in a heterogeneous system
GeeksLab Odessa
 
Embedding GlassFish v3 in Ehcache Server
Eduardo Pelegri-Llopart
 
Ad

Viewers also liked (11)

PPTX
Jar signing
LearningTech
 
PPTX
Java Secure Coding Practices
OWASPKerala
 
PDF
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Josef Cacek
 
PPTX
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Martin Toshev
 
PPT
Java security
Ankush Kumar
 
PPTX
Security Architecture of the Java platform
Martin Toshev
 
ODP
OWASP Secure Coding
bilcorry
 
PDF
CIS14: Best Practices You Must Apply to Secure Your APIs
CloudIDSummit
 
PPTX
Secure coding practices
Scott Hurrey
 
PPTX
Deep dive into Java security architecture
Prabath Siriwardena
 
PDF
Javantura v4 - Security architecture of the Java platform - Martin Toshev
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Jar signing
LearningTech
 
Java Secure Coding Practices
OWASPKerala
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Josef Cacek
 
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Martin Toshev
 
Java security
Ankush Kumar
 
Security Architecture of the Java platform
Martin Toshev
 
OWASP Secure Coding
bilcorry
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CloudIDSummit
 
Secure coding practices
Scott Hurrey
 
Deep dive into Java security architecture
Prabath Siriwardena
 
Javantura v4 - Security architecture of the Java platform - Martin Toshev
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Ad

Similar to JBoss Negotiation in AS7 (20)

PDF
Secure Middleware with JBoss AS 5
Anil Saldanha
 
PDF
Resource Registries: Plone Conference 2014
Rob Gietema
 
KEY
Nodejs web,db,hosting
Kenu, GwangNam Heo
 
PDF
As7 web services - JUG Milan April 2012
alepalin
 
PDF
Seguranca em APP Rails
Daniel Lopes
 
PDF
Resource registries plone conf 2014
Ramon Navarro
 
PDF
Securing Java EE apps using WildFly Elytron
Jan Kalina
 
ODP
DB proxy server test: run tests on tens of virtual machines with Jenkins, Vag...
Timofey Turenko
 
PDF
JBoss AS 7 - YaJUG - nov. 2012
Alexis Hassler
 
PDF
JBoss AS7 web services
alepalin
 
PDF
JBoss AS7 Webservices
JBug Italy
 
PDF
BP-6 Repository Customization Best Practices
Alfresco Software
 
PDF
Год в Github bugbounty, опыт участия
defcon_kz
 
ODP
Signature verification of kernel module and kexec
joeylikernel
 
PDF
Cloud Best Practices
Eric Bottard
 
PDF
vert.x 소개 및 개발 실습
John Kim
 
PDF
Node.js vs Play Framework
Yevgeniy Brikman
 
PPT
Java 6 [Mustang] - Features and Enchantments
Pavel Kaminsky
 
PPTX
Nagios Conference 2014 - Jeff Mendoza - Monitoring Microsoft Azure with Nagios
Nagios
 
PDF
April 2010 - JBoss Web Services
JBug Italy
 
Secure Middleware with JBoss AS 5
Anil Saldanha
 
Resource Registries: Plone Conference 2014
Rob Gietema
 
Nodejs web,db,hosting
Kenu, GwangNam Heo
 
As7 web services - JUG Milan April 2012
alepalin
 
Seguranca em APP Rails
Daniel Lopes
 
Resource registries plone conf 2014
Ramon Navarro
 
Securing Java EE apps using WildFly Elytron
Jan Kalina
 
DB proxy server test: run tests on tens of virtual machines with Jenkins, Vag...
Timofey Turenko
 
JBoss AS 7 - YaJUG - nov. 2012
Alexis Hassler
 
JBoss AS7 web services
alepalin
 
JBoss AS7 Webservices
JBug Italy
 
BP-6 Repository Customization Best Practices
Alfresco Software
 
Год в Github bugbounty, опыт участия
defcon_kz
 
Signature verification of kernel module and kexec
joeylikernel
 
Cloud Best Practices
Eric Bottard
 
vert.x 소개 및 개발 실습
John Kim
 
Node.js vs Play Framework
Yevgeniy Brikman
 
Java 6 [Mustang] - Features and Enchantments
Pavel Kaminsky
 
Nagios Conference 2014 - Jeff Mendoza - Monitoring Microsoft Azure with Nagios
Nagios
 
April 2010 - JBoss Web Services
JBug Italy
 

Recently uploaded (20)

PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
A Presentation on Artificial Intelligence
memembruh336
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Encapsulation theory and applications.pdf
gurumoop
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 

JBoss Negotiation in AS7

  • 1. JBoss Negotiation in AS7 Get Kerberos authentication working Josef Cacek Senior QE Engineer, Red Hat DevConf 2013
  • 2. Agenda  Technologies introduction  Quickstart  Configuration  Troubleshooting
  • 4. Introduction: Kerberos  ticket based network authentication protocol
  • 5. JBoss Negotiation  Negotiation (SPNEGO) support for JBoss AS ● protocols ● Kerberos ● NTLM ● components ● authenticator – a JBoss Web valve ● JAAS Login modules ● toolkit to check the configuration
  • 8. standalone.xml – security domains (1) <security-domain name="host" cache-type="default"> <authentication>     <login-module code="Kerberos" flag="required">       <module-option name="debug" value="true"/>       <module-option name="storeKey" value="true"/>       <module-option name="refreshKrb5Config" value="true"/>       <module-option name="useKeyTab" value="true"/>       <module-option name="doNotPrompt" value="true"/>       <module option ‑ name="keyTab"         value="/path/to/http.keytab"/>       <module-option name="principal"         value="HTTP/[email protected]"/>     </login-module>   </authentication> </security-domain>
  • 9. standalone.xml – security domains (2) <security-domain name="SPNEGO" cache-type="default"> <authentication>     <login-module code="SPNEGO" flag="required">       <module-option name="serverSecurityDomain"         value="host"/>     </login-module>   </authentication>   <mapping>     <mapping-module code="SimpleRoles" type="role">       <module-option name="[email protected]" value="Admin"/>       <module-option name="[email protected]" value="User"/> </mapping-module>   </mapping> </security-domain>
  • 10. standalone.xml – Kerberos related system properties <system-properties> <property name="java.security.krb5.conf" value="/path/to/krb5.conf"/> <property name="java.security.krb5.debug" value="true"/> <property name="jboss.security.disable.secdomain.option" value="true"/> </system-properties>
  • 12. WAR – Web archive
  • 13. WEB-INF/web.xml  define your security constraints and roles <security-constraint>   <web-resource-collection>     <web-resource-name>Admin Data</web-resource-name>     <url-pattern>/admin/*</url-pattern>   </web-resource-collection>   <auth-constraint>     <role-name>Admin</role-name>   </auth-constraint> </security-constraint> <security-role>   <role-name>Admin</role-name> </security-role>
  • 14.  security domain  custom authenticator <jboss-web> <security-domain>SPNEGO</security-domain> <valve>         <class name‑ >org.jboss.security.negoti ation.NegotiationAuthenticator</class-name> </valve> </jboss-web> WEB-INF/jboss-web.xml
  • 15. META-INF/jboss-deployment-structure.xml  define module dependencies <jboss-deployment-structure> <deployment> <dependencies> <module name="org.jboss.security.negotiation" /> </dependencies> </deployment> </jboss-deployment-structure>
  • 17. krb5.conf  configure the realm [libdefaults] default_realm = MY-COMPANY.CZ [realms] MY-COMPANY.CZ = { kdc = kerberos.my-company.cz:688 } [domain_realm] .my-company.cz = MY-COMPANY.CZ  Use KRB5_CONFIG environment variable if you don't want to change system wide /etc/krb5.conf $ export KRB5_CONFIG=/path/to/krb5.conf
  • 18. Browser configuration – allow negotiation for the domain  Firefox – use about:config in the address bar network.negotiate-auth.delegation-uris=.my-company.cz network.negotiate-auth.trusted-uris =.my-company.cz  Chromium $ chromium-browser > --auth-server-whitelist=.my-company.cz > --auth-negotiate-delegate-whitelist=.my-company.cz
  • 19. And if it still doesn't work …
  • 20. Pitfalls – principal names  The Service Principal Name (SPN) must follow the rule <service type> / <hostname> @ <realm> For the request http://my-server.my-company.cz/ use SPN: HTTP/[email protected]  Mixing IPs and hostnames usually doesn't work: HTTP/[email protected] http://127.0.0.1/
  • 21. Pitfalls - IPv6  HTTP: ● http://[0:0:0:0:0:0:0:1]:8080/my-app/ ● HTTP/[0:0:0:0:0:0:0:1]@JBOSS.ORG  LDAP (can be used for role-mapping): ● ldap://[0:0:0:0:0:0:0:1]:389 ● ldap/0:0:0:0:0:0:0:[email protected]
  • 22. Pitfalls - IBM Java  host's login module <login-module code="com.ibm.security.auth.module.Krb5LoginModule" flag="required" > ● module options are not the same!  krb5.conf – check [libdefaults] section ● encryption support ● default_tgs_enctypes ● default_tkt_enctypes ● allow_weak_crypto ● forwardable ticktet when a client uses Krb5LoginModule ● forwardable = true