Configuring Glassfish for Windows Integrated Authentication

Before Getting Started

Be sure that you have read and successfully performed ALL of the steps in the pre-flight documentation before proceeding any further.

You will also want to read through the install for Tomcat before starting the install for Glassfish. The install for Glassfish share many similarities with the install for Tomcat.

  • web.xml configurations are exactly the same
  • krb5.conf configurations are exactly the same

The two main differences are 1) Glassfish already ships with a login.conf file and 2) instead of the name web.xml it is named default-web.xml in glassfish.

Finally, confirm that the server is on the domain by going to Start > Control Panel > System and opening the "System Properties" window.

We want to be sure that the host/server is on the domain. If during install of Windows Server you did not specify to join a Domain, you can click the "Change..." button now to join the Domain.

Downloading and Installing Glassfish

Go to the Glassfish web site and download a stable version of Glassfish. The example in this guide is based on the glassfish-installer-v2.1-b60e-windows.jar download.

Also, this guide is based on Glassfish being started from the command-line versus Glassfish running on the server as a Windows Service.

If you have Tomcat installed as a Windows Service, be sure to stop Tomcat and specify the Tomcat Windows Service "Startup Type" as "Manual". This is necessary even if you change the HTTP port. This is also true if you have JBoss running.

Unzip the download to your \Temp directory:

Be sure to stop Glassfish before modifying the web.xml file, login.conf file, etc.

Downloading spnego.jar

You can download the latest version of spnego.jar from sourceforge.

Place the spnego.jar file under the GLASSFISH_HOME\lib directory.

Modifying the default-web.xml file

Copy the web.xml configuration changes from the Tomcat install and apply them to Glassfish's default-web.xml file under the GLASSFISH_HOME\domains\domain1\config directory.

Be sure that Glassfish is not running when you make these changes.

Creating a krb5.conf file

The pre-flight documentation illustrated how to create the krb5.conf and login.conf files for your environment. It also introduced you to the HelloKDC java program that makes use of these files.

Copy the krb5.conf file that you created earlier to the GLASSFISH_HOME\domains\domain1\config directory (note that the JRE must be able to find this file).

If you are running Glassfish as a Windows Service, the location of the file may be different.

Modifying the login.conf file

Glassfish ships with a login.conf file located under the GLASSFISH_HOME\domains\domain1\config directory.

Append the contents of the login.conf file from the pre-flight documentation to Glassfish's login.conf file located under the GLASSFISH_HOME\domains\domain1\config directory.

Registering an SPN

If you have already registered the SPN(s) when you performed the Tomcat install then you will NOT have to perform them again.

Otherwise, take a look at the Tomcat install for instructions on how to register your SPN(s).

WARNING: A given SPN can only be registered to one and only one Windows NT Domain Account.

If you decide to register a given SPN, be sure that it is not already registered to another Windows NT Domain Account. Otherwise, you will have to de-register/delete the mapping before registering the SPN to the other account.

Creating the hello_spnego.jsp file

Create the following hello_spnego.jsp file under the GLASSFISH_HOME\domains\domain1\docroot directory.

    <title>Hello SPNEGO Example</title>
Hello <%= request.getRemoteUser() %> !

Restart the server and login into a workstation before performing the test in the next section.

Testing hello_spnego.jsp

The steps for testing hello_spnego.jsp running on Glassfish are exactly the same as for Tomcat.

Take a look at the Tomcat install and follow the steps.

If all is working correctly you should see the following (without being prompted):

Lastly, just as the javax.servlet.http.HttpServletRequest API is an interface that defines the method named getRemoteUser, in addition the API defines the method named isUserInRole. The SPNEGO Library also implements the isUserInRole method.

In this guide, the SPNEGO Library was configured to perform authentication (authN). However, the SPNEGO Library define additional APIs as well as provide a reference implementation that allow for a more expressive authorization (authZ) scheme.

If in addition to authenticating the user, you also need to check the user's authorization credentials, take a look at the enable authZ with LDAP guide.

The javadocs for the SpnegoAccessControl interface, the UserAccessControl interface, and the LdapAccessControl class contain authorization usage examples.

Troubleshooting hello_spnego.jsp

The best way to troubleshoot hello_spnego.jsp is to run TCPMon.

Take a look at the Troubleshooting hello_spnego.jsp page for more details on using this tool.

pre-flight checklist
install guide - tomcat
install guide - jboss
install guide - glassfish
enable authZ with LDAP
get user group info from LDAP
reference docs
api docs


create keytab for client
create keytab for app server
credential delegation
protected SOAP Web Service
tomcat authenticator valve
jboss authenticator valve
authZ for standalone apps
protecting edit button on page


© 2009 Darwin V. Felix. All rights reserved.