Split authentication and authorization

Simon Lundström Fri, 16 Oct 2015 06:45:54 -0700

Hi!

We're new to ServiceMix (and everything which it includes and uses,
except Java ; ) and we're trying to setup authentication and
authorization.


We want to use Kerberos for authentication with ServiceMix (i.e. for
sshRealm and and webconsole realm) but have hit a small bump.

Kerberos is an authentication and thus doesn't provide any group or role
information so we have to configure an authorization JAAS module as
well in a cascading fashion.

I tried to do that in a blueprint xml which I put in the deploy/ folder:

<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"; 
xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.1.0"; 
xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0";>
  <jaas:config name="karaf" rank="1">
    <jaas:module className="com.sun.security.auth.module.Krb5LoginModule" 
flags="requisite">
    </jaas:module>
    <jaas:module 
className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" 
flags="sufficient">
      users = /local/servicemix/etc/users.properties
    </jaas:module>
  </jaas:config>
</blueprint>

(Probably out of this scope, but for completeness here's the rest of the config
you need to do:
* Configure your JVM to use your Kerberos JAAS config:
$ EXTRA_JAVA_OPTS=" -Djavax.security.auth.useSubjectCredsOnly=false "
$ EXTRA_JAVA_OPTS+=" 
-Djava.security.auth.login.config=/local/servicemix/etc/jaas.config "
$ export EXTRA_JAVA_OPTS
* Configure your Kerberos JAAS config file:
$ cat /local/servicemix/etc/jaas.config
com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule requisite
    doNotPrompt="true"
    keyTab="/etc/krb5.keytab-http-esb-test.it.su.se"
    principal="HTTP/esb-test.it.su...@su.se"
    storeKey="true"
    useKeyTab="true"
    debug=true
    ;
};
)

It does authenticate successfully via Kerberos but:
* bin/client just hangs.
* hawtio says "Failed to log in, Forbidden"

so I'm guessing that the "cascading" doesn't really work and here I am.

Should this work? What do we need to change to make it work?

If this isn't possible, is it possible to create an proxy module which extends
AbstractKarafLoginModule and does the Kerberos authentication via JAAS and then
uses PropertiesLoginModule (or code from it) to pick up the roles and groups?

BR,
- Simon

____________________________________

Simon Lundström
Section for Infrastructure

IT Services
Stockholm University
SE-106 91 Stockholm, Sweden

www.su.se/it

Split authentication and authorization

Reply via email to