Versions Compared

Version Old Version 3 New Version Current
Changes made by

Uffe Svensson

Uffe Svensson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

View file
nameorg.springframework.security.kerberos.core_1.0.2.20170919.jar
height250
View file
nameorg.springframework.security.kerberos.web_1.0.2.20170919.jar
height250

...

Setting up Windows Domain controller

In this example we use the DNS domain example.org and Windows Domain EXAMPLE. We have also created a weave domain user which is used to perform the authentication from the Weave server to the Domain Controller.


Add a Service Principal Name(SPN) on the Windows Domain Controller. It need to be setup with HTTP and a server name where the Weave instance is run. This is used with the weave domain user and the generated keytab file is then used as the service credentials.

To add the SPN, open the command line tool and run the following command:

C:\> setspn -A HTTP/example.org weave

...

Example configuration using SPNEGO/Kerberos and user.properties LDAP as User Detail Service.

Code Block
languagexml
firstline1
titleExample
linenumberstrue
collapsetrue
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xmlns:sec="http://www.springframework.org/schema/security"
  xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd">

  <!-- Configuration uses SPNEGO by default -->
  <sec:http use-expressions="true" entry-point-ref="spnegoEntryPoint" >
    <sec:intercept-url pattern="/login*" access="permitAll" />
    <sec:intercept-url pattern="/login/**" access="permitAll" />
    <sec:intercept-url pattern="/security/**" access="permitAll" />
    <sec:intercept-url pattern="/**" access="authenticated" />
    <sec:custom-filter ref="spnegoAuthenticationProcessingFilter"
      position="BASIC_AUTH_FILTER" />
    <sec:form-login login-page="/login.html" default-target-url="/index.html"/>
  </sec:http>

  <!-- Spnego Kerberos configuration -->
  <bean id="spnegoEntryPoint" class="org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint" />

  <bean id="spnegoAuthenticationProcessingFilter" class="org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter">
    <property name="authenticationManager" ref="authenticationManager" />
  </bean>

  <sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider ref="kerberosServiceAuthenticationProvider" />
  </sec:authentication-manager>
  
  <bean id="kerberosServiceAuthenticationProvider"
    class="org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider">
    <property name="ticketValidator">
      <bean
        class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator">
        <property name="servicePrincipal" value="HTTP/example.org@EXAMPLE" />
        <property name="keyTabLocation" value="weave.keytab" />
        <property name="debug" value="true" />
      </bean>
    </property>
    <property name="userDetailsService" ref="ldapUserDetailsService" />
  </bean>

  
<!-- LDAP -->
  <bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
    <constructor-arg>
      <bean class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
        <constructor-arg index="0" value="dc=example,dc=org"/>
        <constructor-arg index="1" value="(| (userPrincipalName={0}) (sAMAccountName={0}))"/>
        <constructor-arg index="2" ref="ldapContextSource" />
      </bean>
    </constructor-arg>
    <constructor-arg>
      <bean id="ldapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
        <constructor-arg ref="ldapContextSource"/>
        <constructor-arg value="CN=Users,DC=example,DC=org"/>
        <property name="groupRoleAttribute" value="cn"/>
        <property name="searchSubtree" value="true" />
        <property name="groupSearchFilter" value="(member={0})" />
      </bean>
    </constructor-arg>
  </bean>

  <sec:ldap-server id="ldapContextSource" url="ldap://example.org:389/" manager-dn="CN=Administrator,CN=Users,DC=example,DC=org" manager-password="yourPassword" />

</beans>

...

  • Client and server must not be run on the same machine. The client will send NTML authentication to the server which will invalidate the request.
  • The server must be accessed using it Fully Qualified Name (FQN) in order for authentication to be applied. IP address can not be used.
  • For Single Sign-on to be enabled, Complete following steps to ensure that your Internet Explorer browser is enabled to perform Spnego authentication
    • Go to Tools > Intenet Options > Security tab
    • In Local intranet section make sure your server is listed as a trusted website by adding it into a list.