These instructions use an example Kerberos configuration with:
A client installation of Kerberos is required with the following components:
A working krb5.conf is required. This is the Kerberos client configuration.
If this is working you should be able to execute a
Add the following to domain.xml:
Replace net.java.spnego.SpnegoServerAuthModule with the class you have writen which extends this class.
<message-security-config auth-layer="HttpServlet">
<provider-config class-name="net.java.spnego.SpnegoServerAuthModule" provider-id="spnego" provider-type="server">
<request-policy auth-recipient="before-content" auth-source="sender"/>
</provider-config>
</message-security-config>All of the configuration above are constants except for the provider-id. This should match the http-servlet-provider attribute of the sun-web-app element in sun-web.xml.
sun-web-app httpservlet-security-provider="spnego"
<!-- This is the default, but the login.conf referenced must contain additional entries. -->
<jvm-options>-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf</jvm-options>
<!-- We need the underlying mechanism to obtain credentials. -->
<jvm-options>-Djavax.security.auth.useSubjectCredsOnly=false</jvm-options>
<!-- This tells the Kerberos LoginModule where the Kerberos client config is. -->
<jvm-options>-Djava.security.krb5.conf=/etc/krb5.conf</jvm-options>The above can be achieved using the Admin GUI that comes with Glassfish.
asadmin can be used for all configuration in domain.xml to enable automation of spnego configuration.
See the Spnego project's pom.xml which uses this approach using Ant exec tasks.
Add the following to login.conf. This is the login.conf which is in the domain's config directory.
/* Used by SpnegoServerAuthModule */
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/developer249.office.lan@WOTIF.COM"
useKeyTab=true
keyTab="/etc/krb5.keytab"
isInitiator=false
storeKey=true;
};The meaning and purpose of each of the above lines is:
The built-in Kerberos LoginModule will be used to authenticate with Kerberos. As with other JAAS modules, "required" means that for authentication to succeed this module most succeed.
This is the service principal which should be set up on the kdc and the keytab.
The service principal is specified in the keytab. This should be set to true.
This tells the module where to find the keytab. The default location on Unix systems is /etc/krb5.keytab.
This is the system keytab. You might wish to have a separate one for your Glassfish service.
The keytab should contain an entry for the service principal, which in our example is HTTP/developer249.office.lan@WOTIF.COM
Within kadmin, you create it with the following command:
ktadd HTTP/developer249.office.lan
You can use ktutil to check the contents of the keytab.
There is an initiator of a security context, and the target which is the acceptor.
Glassfish is the acceptor, indicated with this configuration option.
Stores in the Subject's private credentials. This should be true.
The provider-id is set as an attribute of sun-web-app to bind the web app to the provider.
To hook a web app to the example above: ---
sun-web-app httpservlet-security-provider="spnego"
...
/sun-web-app ---
See Page 200 of Glassfish Administration Guide.