Silent Domain Authorization at GlassFish
In this article I will explain how you can implement quiet domain authentication (Kerberos) on the application server GlassFish.
The test was conducted on a PC with Windows 7 Pro SP1 (64bit), JDK 1.7.0_25 (64bit) and GlassFish 4 (ver 89).
We will use the library SPNEGO . This article is actually a translation and adaptation that you can find on the library’s page in English.
1) Make sure your server is in the domain.
2) Make sure that the application server (GlassFish) runs from a domain user
3) Make sure that you have a login and password from a specially crafted domain user (I used the same user as in step 2)
4) Make sure that HelloKDC.java will work correctly.
HelloKDC.java is a small application that will allow us to understand whether everything is ready to start the flight and whether the flight is possible.
In this code, you need to add a few lines, namely:
Next you need to add the files krb5.conf and login.conf .
In my cases krb5.conf looks like this:
Where in the algorithms I added aes256-cts-hmac-sha1-96 for correct work with Windows 7 clients.
My full domain name is different from the root domain, but I decided to add the root and root KDC .
After starting HelloKDC, we should get a small report at the end of which should be written " Connection test successful. ".
1) Add the spnego.jar library directly to the directory with the glassfish libraries, namely GLASSFISH_HOME \ lib
2) Modify the default-web.xml file of the corresponding glassfish domain, it is located in the GLASSFISH_HOME \ domains \ <domain name> \ config folder
The modification is to add a servlet filter:
3) Copy the krb5.conf file (also in GLASSFISH_HOME \ domains \ <domain name> \ config)
4) Modify the login.conf file in GLASSFISH_HOME \ domains \ <domain name> \ config by adding data from the previous login.conf to the end of the file (which was done for HelloKDC)
5) Register SPN
In my cases, the machine name was smirnoff, the full machine name was smirnoff. <Full domain name> and therefore I registered (LAN administrators registered more precisely) 2 SPNs for the account name (which we entered into the HelloKDN source and in the servlet filter settings), and exactly
setspn -A HTTP / smirnoff <account name>
setspn -A HTTP / smirnoff. <full domain name> <account name>
Those. we add record with a full name and short.
You can check the work with the help of a simple jsp page (jsp because we set the * .jsp mask in the filter settings to intercept the request).
Which we put for example in the docroot of our glassfish domain.
When referring to the page, we should receive the following text:
Hello <your account name>!
Could not cope with the display of the source code.
I am happy to answer questions in the comments to the article.
The test was conducted on a PC with Windows 7 Pro SP1 (64bit), JDK 1.7.0_25 (64bit) and GlassFish 4 (ver 89).
We will use the library SPNEGO . This article is actually a translation and adaptation that you can find on the library’s page in English.
Preflight preparation
1) Make sure your server is in the domain.
2) Make sure that the application server (GlassFish) runs from a domain user
3) Make sure that you have a login and password from a specially crafted domain user (I used the same user as in step 2)
4) Make sure that HelloKDC.java will work correctly.
HelloKDC.java is a small application that will allow us to understand whether everything is ready to start the flight and whether the flight is possible.
In this code, you need to add a few lines, namely:
// Domain (pre-authentication) account
final String username = "<User name from the third item>";
')
// Password for the pre-auth acct.
final String password = "<Password from the user from the third item>";
// Name of our krb5 config file
final String krbfile = "krb5.conf";
// Name of our login config file
final String loginfile = "login.conf";
// Name of our login module
final String module = "spnego-client";
Next you need to add the files krb5.conf and login.conf .
In my cases krb5.conf looks like this:
[libdefaults]
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
[realms]
<root domain> = {
kdc = <KDC server domain name>
default_domain = <root domain>
}
[domain_realm]
. <root domain> = <root domain>
Where in the algorithms I added aes256-cts-hmac-sha1-96 for correct work with Windows 7 clients.
My full domain name is different from the root domain, but I decided to add the root and root KDC .
After starting HelloKDC, we should get a small report at the end of which should be written " Connection test successful. ".
Go!
1) Add the spnego.jar library directly to the directory with the glassfish libraries, namely GLASSFISH_HOME \ lib
2) Modify the default-web.xml file of the corresponding glassfish domain, it is located in the GLASSFISH_HOME \ domains \ <domain name> \ config folder
The modification is to add a servlet filter:
<filter-name> SpnegoHttpFilter </ filter-name>
<filter-class> net.sourceforge.spnego.SpnegoHttpFilter </ filter-class>
<init-param>
<param-name> spnego.allow.basic </ param-name>
<param-value> true </ param-value>
</ init-param>
<init-param>
<param-name> spnego.allow.localhost </ param-name>
<param-value> true </ param-value>
</ init-param>
<init-param>
<param-name> spnego.allow.unsecure.basic </ param-name>
<param-value> true </ param-value>
</ init-param>
<init-param>
<param-name> spnego.login.client.module </ param-name>
<param-value> spnego-client </ param-value>
</ init-param>
<init-param>
<param-name> spnego.krb5.conf </ param-name>
<param-value> krb5.conf </ param-value>
</ init-param>
<init-param>
<param-name> spnego.login.conf </ param-name>
<param-value> login.conf </ param-value>
</ init-param>
<init-param>
<param-name> spnego.preauth.username </ param-name>
<param-value> Username from HelloKDC </ param-value>
</ init-param>
<init-param>
<param-name> spnego.preauth.password </ param-name>
<param-value> HelloKDC User Password </ param-value>
</ init-param>
<init-param>
<param-name> spnego.login.server.module </ param-name>
<param-value> spnego-server </ param-value>
</ init-param>
<init-param>
<param-name> spnego.prompt.ntlm </ param-name>
<param-value> true </ param-value>
</ init-param>
<init-param>
<param-name> spnego.logger.level </ param-name>
<param-value> 1 </ param-value>
</ init-param>
<filter-mapping>
<filter-name> SpnegoHttpFilter </ filter-name>
<url-pattern> *. jsp </ url-pattern>
</ filter-mapping>
3) Copy the krb5.conf file (also in GLASSFISH_HOME \ domains \ <domain name> \ config)
4) Modify the login.conf file in GLASSFISH_HOME \ domains \ <domain name> \ config by adding data from the previous login.conf to the end of the file (which was done for HelloKDC)
5) Register SPN
In my cases, the machine name was smirnoff, the full machine name was smirnoff. <Full domain name> and therefore I registered (LAN administrators registered more precisely) 2 SPNs for the account name (which we entered into the HelloKDN source and in the servlet filter settings), and exactly
setspn -A HTTP / smirnoff <account name>
setspn -A HTTP / smirnoff. <full domain name> <account name>
Those. we add record with a full name and short.
Operation check
You can check the work with the help of a simple jsp page (jsp because we set the * .jsp mask in the filter settings to intercept the request).
Hello SPNEGO Example
Hello <%= request.getRemoteUser() %> !
Which we put for example in the docroot of our glassfish domain.
When referring to the page, we should receive the following text:
Hello <your account name>!
PS
Could not cope with the display of the source code.
I am happy to answer questions in the comments to the article.
Source: https://habr.com/ru/post/207144/
All Articles