What is a built-in authenticator?
Although the HTTP Authentication protocol defines some authentication mechanisms, it does not define SPNEGO as one of them.
However, since JBoss uses the tomcat/catalina engine under the hood, and since the engine has support
for the HTTP Authentication protocol, JBoss is able to perform
This guide is very similar to the Tomcat SPNEGO Authenticator Valve example except that this guide is specific to JBoss configuration files and locations.
The purpose of this guide is to simply illustrate that it is possible to "slip-in" any authentication (AuthN) mechanism and still retain the authorization (AuthZ) mechanisms that JBoss provides out of the box.
Essentially, the engine allows for an AuthN/AuthZ mechanism that is both loosely-coupled and highly-cohesive.
This guide provides source code as well as step-by-step instructions on how to configure JBoss to silently authenticate users via a built-in authenticator that uses Kerberos/SPNEGO as the authentication mechanism.
By default, JBoss supports such authentication mechanisms as
But fortunately, JBoss does allow you to implement and specify your own authentication mechanism via
the tomcat/catalina engine and the
JBoss also provides a framework for mapping users to roles. By default, this mapping definition is
specified in JBoss'
This guide does not detail how to use LDAP, JDBC, etc. as the source mapping definition instead of using the JBoss provided properties file (but the implementation is just as simple).
Goals of this guide:
Before Getting Started
If you do not already have a working jboss server that authenticates requests via Kerberos/SPNEGO, take a look at the installing JBoss example. After install, ensure that authentication is working by running the hello_spnego.jsp example. It is imperative that you get this working first since we will be using the values you provided in the web.xml file, the creation of the krb5.conf file and changes to the login-config.xml file.
This guide requires that you are able to get the HTTP Servlet Filter working first.
Once you have confirmed that all is working as expected (via the HTTP Servlet Filter method), be sure to remove/comment-out the HTTP Servlet Filter definition and filter mapping from the web.xml file.
Obviously authentication will now fail but now we are ready to get it working again via the tomcat/catalina engine.
Download the latest spnego.jar
file (spnego-r7.jar or greater) and place it under the
Download the ExampleSpnegoAuthenticatorValve.java
code and place it under the
Before compiling ExampleSpnegoAuthenticatorValve.java, be sure to change the hard-coded property values in the file. These values should be the same values which was used in your old web.xml file (your old web.xml file had the filter definition and mapping defined and your new web.xml does not or is commented-out).
You will also need to add
After compilation, you need to
Modifying the war-deployers-jboss-beans.xml file
Note that in JBoss 4.2 the file is named
Once you have found the list of authenticators in the file, add the following to the list:
<entry> <key>SPNEGO</key> <value>ExampleSpnegoAuthenticatorValve</value> </entry>
Note that for JBoss 4.2, the xml is slightly different:
<java:property> <java:key>SPNEGO</java:key> <java:value>ExampleSpnegoAuthenticatorValve</java:value> </java:property>
Modifying the jbossws-users/roles.properties files
By default, JBoss stores the username/role(s) mapping in the
These files are stored under the
This guide will use the properties files for the username/role(s) mapping definition.
# A sample users.properties file for use with the UsersRolesLoginModule kermit=thefrog DFelix@ATHENA.LOCAL=
# A sample roles.properties file for use with the UsersRolesLoginModule kermit=friend,role1 DFelix@ATHENA.LOCAL=role1
Also, notice that
Modifying the web.xml file
Add the following to the
<security-constraint> <web-resource-collection> <web-resource-name>All JSP Files</web-resource-name> <url-pattern>*.jsp</url-pattern> </web-resource-collection> <auth-constraint> <role-name>role1</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>SPNEGO</auth-method> </login-config> <security-role> <role-name>role1</role-name> </security-role>
Notice that we no longer need to define the SPNEGO HTTP Servlet Filter in the web.xml file.
Creating the jboss-web.xml file
<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd"> <jboss-web> <security-domain>java:/jaas/JBossWS</security-domain> </jboss-web>
Note that the
Open a browser and go to http://medusa:8080/hello_spnego.jsp
If all is working correctly you should see the following (without being prompted):
The first step to troubleshooting is to first know with absolute certainty that authentication was working when it was configured as an HTTP Servlet Filter.
© 2009 Darwin V. Felix. All rights reserved.