Announcement Announcement Module
Collapse
No announcement yet.
Active directory, kerberos and all that jaas Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Active directory, kerberos and all that jaas

    Anybody have a working example of the "authorityGranter" implementation for JaasAuthenticationProvider?
    Specifically, populating grantedAuthorities via ActiveDirectory?

    I can authenticate fine via Jaas/Kerberos but when I attempt to search Active Directory to retrieve the user roles, my attempts fail with kerberos credential errors.

    Googled till I'm schmoogled

  • #2
    The Jaas stuff is there to connect Acegi to Jaas. What are you using to connect Jaas to Active Directory?

    You might also consider using the acegi ldap support to authenticate with Active Directory.

    Comment


    • #3
      What are you using to connect Jaas to Active Directory?
      My JAAS settings:
      HTML Code:
      Lites {
      com.sun.security.auth.module.Krb5LoginModule 
      required  
      doNotPrompt=false
      useTicketCache=false
      storeKey=true
      debug=true;
      };
      
      com.sun.security.jgss.initiate {
        com.sun.security.auth.module.Krb5LoginModule 
        required;
      };
      Tomcat is launched with -Djavax.security.auth.useSubjectCredsOnly=false

      Ray,
      From the above, you can see I'm not connecting anything in JAAS to the Active Directory. I've read the tutorial on JAAS authorization but I'm not getting it..., I don't understand how the KerberosPrincipal delivered to the authorityGranter will carry along the grantedAuthorities from the Active Directory lookup.

      My approach to deliver this requirement was to implement the TestAuthorityGranter section of the JaasAuthenticationProvider javadoc to use a FilterBasedLdapUserSearch bean. http://www.acegisecurity.org/acegi-s...tyGranter.html

      But what would be ideal would be for the auth/authz requirement to be delivered with a JaasAuthenticationProvider solution with all Kerberos/AD settings defined on the server.

      Anything you can do to outline the solution would greatly appreciated.

      - Steve

      Comment


      • #4
        Well you're on the right course. The AuthorityGranter interface is there for that purpose. You provide an implementation of AuthorityGranter that uses the Principal to generate a Set of ROLEs to grant.

        I really have no idea what type of Principal the Krb5LoginModule provides. You may be able to downcast it and get some more information from it. Or you'll have to do something like you're talking about where you go dig in LDAP for the information.

        Other than that using the FilterBasedLdapUserSearch or use the Spring LDAP support... http://www.springframework.org/ldap

        Comment


        • #5
          I really have no idea what type of Principal the Krb5LoginModule provides.
          KerberosPrincipal is what is returned.

          Comment


          • #6
            Originally posted by steve_sicherheit View Post
            I can authenticate fine via Jaas/Kerberos but when I attempt to search Active Directory to retrieve the user roles, my attempts fail with kerberos credential errors.
            Steve, can you paste your applicationContext.xml ? I cannot make spring-security authenticate using kerberos. All the time I'm getting a
            Code:
            org.springframework.security.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
            and my AuthorityGranter never gets called.

            Here is mine:
            Code:
            	<security:global-method-security secured-annotations="enabled" />
            	
            	<security:authentication-manager alias="_authenticationManager"/>
            	
            	<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
            		<property name="providers">
            			<list>
            				<ref local="jaasAuthenticationProvider" />
            			</list>
            		</property>
            	</bean>
            	
            	<security:authentication-provider user-service-ref="userDetailsService" />
            	
            	<security:user-service id="userDetailsService">
            		<security:user password="secret" name="fooBar" authorities="ROLE_KRBRS_AUTHENTICATED"/>
            	</security:user-service>
            	             	              
            	<bean id="jaasAuthenticationProvider" class="org.springframework.security.providers.jaas.JaasAuthenticationProvider">
            		<security:custom-authentication-provider />
            		<property name="loginConfig" value="file:c://jaas.conf" />
            		<property name="loginContextName" value="JaasSample" />
            		<property name="callbackHandlers">
            			<list>
            				<bean class="org.springframework.security.providers.jaas.JaasNameCallbackHandler" />
            				<bean class="org.springframework.security.providers.jaas.JaasPasswordCallbackHandler" />
            			</list>
            		</property>
            		<property name="authorityGranters">
            			<list>
            				<bean class="com.mypackage.KerberosAuthorityGranter" />
            			</list>
            		</property>
            	</bean>
            Any idea?

            Comment

            Working...
            X