Configuring Glassfish for Windows Integrated Authentication
Before Getting Started
Be sure that you have read and successfully performed ALL of the steps in the pre-flight documentation before proceeding any further.
You will also want to read through the install for Tomcat before starting the install for Glassfish. The install for Glassfish share many similarities with the install for Tomcat.
The two main differences are 1) Glassfish already ships with a login.conf file and 2) instead of the name web.xml it is named default-web.xml in glassfish.
Finally, confirm that the server is on the domain by going to
We want to be sure that the host/server is on the domain. If during install of Windows Server you did not specify to join a Domain, you can click the "Change..." button now to join the Domain.
Downloading and Installing Glassfish
Go to the Glassfish web site and download a stable version of Glassfish. The example in this guide is based on the glassfish-installer-v2.1-b60e-windows.jar download.
Also, this guide is based on Glassfish being started from the command-line versus Glassfish running on the server as a Windows Service.
If you have Tomcat installed as a Windows Service, be sure to stop Tomcat and specify the Tomcat Windows Service "Startup Type" as "Manual". This is necessary even if you change the HTTP port. This is also true if you have JBoss running.
Unzip the download to your \Temp directory:
Be sure to stop Glassfish before modifying the web.xml file, login.conf file, etc.
You can download the latest version of spnego.jar from sourceforge.
Place the spnego.jar file under the
Modifying the default-web.xml file
Copy the web.xml configuration changes from the
Tomcat install and apply them
to Glassfish's default-web.xml file under the
Be sure that Glassfish is not running when you make these changes.
Creating a krb5.conf file
Copy the krb5.conf file that you created earlier to the
If you are running Glassfish as a Windows Service, the location of the file may be different.
Modifying the login.conf file
Glassfish ships with a login.conf file located under the
Registering an SPN
If you have already registered the SPN(s) when you performed the Tomcat install then you will NOT have to perform them again.
Otherwise, take a look at the Tomcat install for instructions on how to register your SPN(s).
WARNING: A given SPN can only be registered to one and only one Windows NT Domain Account.
If you decide to register a given SPN, be sure that it is not already registered to another Windows NT Domain Account. Otherwise, you will have to de-register/delete the mapping before registering the SPN to the other account.
Creating the hello_spnego.jsp file
Create the following hello_spnego.jsp file under the
<html> <head> <title>Hello SPNEGO Example</title> </head> <body> Hello <%= request.getRemoteUser() %> ! </body> </html>
Restart the server and login into a workstation before performing the test in the next section.
The steps for testing hello_spnego.jsp running on Glassfish are exactly the same as for Tomcat.
Take a look at the Tomcat install and follow the steps.
If all is working correctly you should see the following (without being prompted):
Lastly, just as the javax.servlet.http.HttpServletRequest API is an interface that defines the method named getRemoteUser, in addition the API defines the method named isUserInRole. The SPNEGO Library also implements the isUserInRole method.
In this guide, the SPNEGO Library was configured to perform authentication (authN). However, the SPNEGO Library define additional APIs as well as provide a reference implementation that allow for a more expressive authorization (authZ) scheme.
If in addition to authenticating the user, you also need to check the user's authorization credentials, take a look at the enable authZ with LDAP guide.The javadocs for the SpnegoAccessControl interface, the UserAccessControl interface, and the LdapAccessControl class contain authorization usage examples.
The best way to troubleshoot hello_spnego.jsp is to run TCPMon.
Take a look at the Troubleshooting hello_spnego.jsp page for more details on using this tool.
© 2009 Darwin V. Felix. All rights reserved.