Versions Compared

Version Old Version 1 New Version Current
Changes made by

Uffe Svensson

Uffe Svensson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

View file
nameorg.springframework.security.kerberos.core_1.0.2.20170919.jar
height250
View file
nameorg.springframework.security.kerberos.web_1.0.2.20170919.jar
height250

This guide will help you set up a basic Single sign-on authentication with Keberos and SPNEGO using Spring Security under Weave. In our tests, we have been using Windows Server 2016 as our Domain Controller and Weave Server and Windows 10 as our clients.

...

Setting up Windows Domain controller

In this example we use the DNS domain example.org and Windows Domain EXAMPLE. We have also created a weave domain user which is used to perform the authentication from the Weave server to the Domain Controller.


Add a Service Principal Name(SPN) on the Windows Domain Controller. It need to be setup with HTTP and a server name where the Weave instance is run. This is used with the weave domain user and its the generated keytab  file is then used as a the service credentialcredentials.

To add the SPN, open the command line tool and run the following command:

C:\> setspn -A HTTP/example.org weave

...

Export a keytab file for the weave user. This file will be used with Weave to authenticate against the Windows Domain Controller. Copy the exported keytab file (weave.keytab) to the platform/workspace directory in Weave. The keytab file will be referenced in the security setup for Weave.

C:\> ktpass /out c:\weave.keytab /mapuser weave@EXAMPLE /princ HTTP/example.org@EXAMPLE/pass Password# /ptype KRB5_NT_PRINCIPAL /crypto All

...

Setting up security.xml in Weave

Info
titlePlugins

There are two plugins related to Kerberos that need to be added to Weave in order for the following configuration to work. The plugins are attached to this page.


Example configuration using SPNEGO/Kerberos and user.properties LDAP as User Detail Service.

Code Block
languagexml
firstline1
titleExample
linenumberstrue
collapsetrue
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xmlns:sec="http://www.springframework.org/schema/security"
  xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd">

  <!-- ThisConfiguration configuration uses SPNEGO by default -->
  <sec:http use-expressions="true" entry-point-ref="spnegoEntryPoint" >
    <sec:intercept-url pattern="/login*" access="permitAll" />
    <sec:intercept-url pattern="/secure/login/**" access="permitAll" />
    <sec:intercept-url pattern="/security/**" access="IS_AUTHENTICATED_FULLYpermitAll" />
    <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLYauthenticated" />
    <sec:custom-filter ref="spnegoAuthenticationProcessingFilter"
      position="BASIC_AUTH_FILTER" />
    <sec:form-login login-page="/login.html" default-target-url="/index.html"/>
  </sec:http>

  <!-- Spnego Kerberos configuration -->
  <bean id="spnegoEntryPoint"     class="org.springframework.security.extensions.kerberos.web.authentication.SpnegoEntryPoint" />

  <bean id="spnegoAuthenticationProcessingFilter"
    class="org.springframework.security.extensions.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter">
    <property name="authenticationManager" ref="authenticationManager" />
  </bean>

  <sec:authentication-manager alias="authenticationManager">
	<!-- Used with SPNEGO -->
    <sec:authentication-provider ref="kerberosServiceAuthenticationProvider" />
  </sec:authentication-manager>
  
  <bean id="kerberosServiceAuthenticationProvider"
    class="org.springframework.security.extensionskerberos.kerberosauthentication.KerberosServiceAuthenticationProvider">
    <property name="ticketValidator">
      <bean
        class="org.springframework.security.kerberos.extensionsauthentication.kerberossun.SunJaasKerberosTicketValidator">
        <property name="servicePrincipal" value="HTTP/example.org@EXAMPLE" />
        <!-- Setting keyTabLocation to a classpath resource will most likely not work in a Java EE application Server -->
    
   <!-- See the Javadoc for more information on that -->
        <property name="keyTabLocation" value="weave.keytab" />
        <property name="debug" value="true" />
      </bean>
    </property>
    <property name="userDetailsService" ref="userDetailsServiceldapUserDetailsService" />
  </bean>


  
<!-- LDAP -->
This bean definition enables a very detailed Kerberos logging -->
  <bean<bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
    <constructor-arg>
      <bean class="org.springframework.security.extensionsldap.kerberos.GlobalSunJaasKerberosConfig">search.FilterBasedLdapUserSearch">
        <constructor-arg index="0" value="dc=example,dc=org"/>
      <property name  <constructor-arg index="debug1" value="true(| (userPrincipalName={0}) (sAMAccountName={0}))"/>
        <constructor-arg index="2" ref="ldapContextSource" />
      </bean>
    </constructor-arg>
    <constructor-arg>
      <bean id="userDetailsServiceldapAuthoritiesPopulator" class="org.springframework.security.coreldap.userdetails.memory.InMemoryDaoImplDefaultLdapAuthoritiesPopulator">
        <property<constructor-arg nameref="userPropertiesldapContextSource"/>
        <constructor-arg value="CN=Users,DC=example,DC=org"/>
    <bean class="org.springframework.beans.factory.config.PropertiesFactoryBean">    <property name="groupRoleAttribute" value="cn"/>
        <property name="searchSubtree" value="true" />
        <property name="locationgroupSearchFilter" value="users.properties"(member={0})" />
       </bean>
    </bean>constructor-arg>
  </bean>

  <sec:ldap-server  </property>
  </bean>
</beans>id="ldapContextSource" url="ldap://example.org:389/" manager-dn="CN=Administrator,CN=Users,DC=example,DC=org" manager-password="yourPassword" />

</beans>

Upon a user request, the spnegoEntryPoint will be first visited. The Entry point will check the authentication header from the request and validate it. If it is not valid, it will respond with a HTTP 401 and ask the requesting browser to send a negotiation header. On success validation the request will move on to the authenticationManager. In this case, we only have one authentication provider (Kerberos) and the request will be sent to the kerberosServiceAuthenticationProviderkerberosServiceAuthenticationProvider will authenticate the user with the Domain Controller and if successful it will fetch authorities/roles using the ldapUserDetailsService. The ldapUserDetailsService will connect to the Active Directory/LDAP server and fetch the roles for the current user. We provide the LDAP connection credentials with ldapContextSource

Confguration

kerberosServiceAuthenticationProvider

Two properties need to be configured in the kerberosServiceAuthenticationProvider bean. The first one is the servicePrinciple. This value should be the same as the one we used when creating the SPN and keytab file. The keyTabLocation property is the path to the keytab file created earlier. The path is relative to the /workspace directory, but could also be absolute.

ldapUserDetailsService and ldapContextSource

Replace credentials

Additional notes

  • Client and server must not be run on the same machine. The client will send NTML authentication to the server which will invalidate the request.
  • The server must be accessed using it Fully Qualified Name (FQN) in order for authentication to be applied. IP address can for example not be used.
  • For Single Sign-on to be enabled, Complete following steps to ensure that your Internet Explorer browser is enabled to perform Spnego authentication
    • Click Go to Tools > Intenet Options > Security tab
    • In Local intranet section make sure your server is listed as a trusted website by i.e. adding it into a list.