But I should also add that for a web app, if you run Geronimo through
Apache HTTP or IIS then you can use SPNEGO to achieve single sign-on
without configuring a Geronimo security realm. I also lack specifics
for how to configure that. :)
Thanks,
Aaron
On 3/30/06, Williams, Alex <[EMAIL PROTECTED]> wrote:
> Hi,
>
> Has anyone successfully implemented a Kerberos Security Realm? I'm using
> Geronimo 1.0, JDK 1.4.2 on Windows XP and would like to achieve single
> sign on against the Windows KDC.
>
> I have managed to get a standalone java example to work, but I'm a bit
> lost when it comes to configuring a Security Realm in Geronimo. Do I
> have to do any configuration outside of Geronimo - e.g. properties files
> within the JVM installation?
>
> Any tips or samples would be very gratefully received.
>
> See below for what I've tried so far.
>
> Thanks,
> Alex
>
>
>
> I've created a Security Realm in the Geronimo Console with the following
> plan:
>
> <configuration configId="SecurityRealm-my-kerberos-realm"
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0";>
> <gbean name="my-kerberos-realm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> <attribute name="realmName">my-kerberos-realm</attribute>
> <reference name="ServerInfo">
>
> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2e
> e-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbe
> an-name>
> </reference>
> <reference name="LoginService">
>
> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2e
> e-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=Ja
> asLoginService</gbean-name>
> </reference>
> <xml-reference name="LoginModuleConfiguration">
> <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.0";>
> <log:login-module control-flag="REQUIRED"
> server-side="true" wrap-principals="false">
>
> <log:login-domain-name>my-kerberos-realm</log:login-domain-name>
>
> <log:login-module-class>com.sun.security.auth.module.Krb5LoginModule</lo
> g:login-module-class>
> <log:option name="debug">true</log:option>
> <log:option name="doNotPrompt">true</log:option>
> <log:option name="useTicketCache">true</log:option>
> </log:login-module>
> </log:login-config>
> </xml-reference>
> </gbean>
> </configuration>
>
>
> I added the following to the web.xml for my app:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protected</web-resource-name>
> <url-pattern>/protected/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>This is not used for FORM login</realm-name>
> <form-login-config>
> <form-login-page>/login.jsp</form-login-page>
> <form-error-page>/loginerror.jsp</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <role-name>admin</role-name>
> </security-role>
>
>
> And I added the following to geronimo-web.xml:
>
> <security-realm-name>my-kerberos-realm</security-realm-name>
> <security>
> <default-principal>
> <principal name="anonymous"
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipa
> l"
> />
> </default-principal>
> <role-mappings>
> <role role-name="admin">
> <principal name="administrators"
> designated-run-as="true"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincip
> al"
> />
> <principal name="awilliams"
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipa
> l"
> />
> </role>
> </role-mappings>
> </security>
>
>
> I have created /protected/index.htm, but I have NOT implemented
> /login.jsp or /loginerror.jsp. I am logged into the windows domain as
> "awilliams", so I expect SSO to work. It appears not to, since I get a
> 404 error saying that
> /login.jsp does not exist.
>
> I'd obviously like to get the SSO working through the Windows KDC. I
> presume though that I need the login screens to fallback on. Down the
> road, do I need an extra login module to authenticate against
> ActiveDirectory if the SSO fails?
>
> _______________________________________________
> This message is confidential. It may also be privileged or otherwise
> protected by work product immunity or other legal rules. If you have received
> it by mistake please let us know by reply and then delete it from your
> system; you should not copy it or disclose its contents to anyone. All
> messages sent to and from Linklaters may be monitored to ensure compliance
> with internal policies and to protect our business. Emails are not secure and
> cannot be guaranteed to be error free as they can be intercepted, amended,
> lost or destroyed, or contain viruses. Anyone who communicates with us by
> email is taken to accept these risks.
>
> The contents of any email addressed to our clients are subject to our usual
> terms of business; anything which does not relate to the official business of
> the firm is neither given nor endorsed by it.
>
> The registered address of the UK partnership of Linklaters is One Silk
> Street, London, EC2Y 8HQ. Please refer to
> http://www.linklaters.com/regulation for important information on the
> regulatory position of the firm.
>
>
