Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 2 Next »

This guide will help you set up a basic Single sign-on authentication with Keberos and SPNEGO using Spring Security under Weave. In our tests, we have been using Windows Server 2016 as our Domain Controller and Weave Server and Windows 10 as our clients.


Prerequisite
  • Windows Server with domain controller and AD setup. Kerberos enabled.
  • Windows client joined to the Windows domain

Setting up Windows Domain controller

In this example we use the DNS domain example.org and Windows Domain EXAMPLE. We have also created a weave domain user which is used to perform the authentication from the Weave server to the Domain Controller.


Add a Service Principal Name(SPN) on the Windows Domain Controller. It need to be setup with HTTP and a server name where the Weave instance is run. This is used with the weave domain user and its keytab is then used as a service credential.

To add the SPN, open the command line tool and run the following command:

C:\> setspn -A HTTP/example.org weave


Export a keytab file for the weave user. This file will be used with Weave to authenticate against the Windows Domain Controller.

C:\> ktpass /out c:\weave.keytab /mapuser weave@EXAMPLE /princ HTTP/example.org@EXAMPLE/pass Password# /ptype KRB5_NT_PRINCIPAL /crypto All

Targeting domain controller: EXAMPLE.example.org
Using legacy password setting method
Successfully mapped HTTP/example.org to weave.

Setting up security.xml in Weave

Plugins

There are two plugins related to Kerberos that need to be added to Weave in order for the following configuration to work. The plugins are attached to this page.


Example configuration using SPNEGO and user.properties as User Detail Service.

Example 
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security"
  xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd">

  <!-- This configuration uses SPNEGO by default -->
  <sec:http entry-point-ref="spnegoEntryPoint" >
    <sec:intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_FULLY" />
    <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
    <sec:custom-filter ref="spnegoAuthenticationProcessingFilter"
      position="BASIC_AUTH_FILTER" />
  </sec:http>

  <bean id="spnegoEntryPoint"
    class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />

  <bean id="spnegoAuthenticationProcessingFilter"
    class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
    <property name="authenticationManager" ref="authenticationManager" />
  </bean>

  <sec:authentication-manager alias="authenticationManager">
	<!-- Used with SPNEGO -->
    <sec:authentication-provider ref="kerberosServiceAuthenticationProvider" />
  </sec:authentication-manager>

  <bean id="kerberosServiceAuthenticationProvider"
    class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
    <property name="ticketValidator">
      <bean
        class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
        <property name="servicePrincipal" value="HTTP/example.org@EXAMPLE" />
        <!-- Setting keyTabLocation to a classpath resource will most likely not work in a Java EE application Server -->
        <!-- See the Javadoc for more information on that -->
        <property name="keyTabLocation" value="weave.keytab" />
        <property name="debug" value="true" />
      </bean>
    </property>
    <property name="userDetailsService" ref="userDetailsService" />
  </bean>
  
  <!-- This bean definition enables a very detailed Kerberos logging -->
  <bean
    class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig">
    <property name="debug" value="true" />
  </bean>

  <bean id="userDetailsService" class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
        <property name="userProperties">
            <bean class="org.springframework.beans.factory.config.PropertiesFactoryBean">
                <property name="location" value="users.properties"/>
            </bean>
        </property>
  </bean>
</beans>

Two properties need to be configured in the kerberosServiceAuthenticationProvider bean. The first one is the servicePrinciple. This value should be the same as the one we used when creating the SPN and keytab file. The keyTabLocation property is the path to the keytab file created earlier. The path is relative to the /workspace directory, but could also be absolute.

Additional notes

  • Client and server must not be run on the same machine. The client will send NTML authentication to the server which will invalidate the request.
  • The server must be accessed using it Fully Qualified Name (FQN) in order for authentication to be applied. IP address can for example not be used.
  • For Single Sign-on to be enabled, Complete following steps to ensure that your Internet Explorer browser is enabled to perform Spnego authentication
    • Click Tools > Intenet Options > Security tab
    • In Local intranet section make sure your server is trusted by i.e. adding it into a list.




  • No labels