Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Virgo » How do I configure SPNEGO authentication?(How to configure Virgo Tomcat Server 3.6.4 to use SPNEGO authentication with Windows AD)
How do I configure SPNEGO authentication? [message #1731351] Wed, 04 May 2016 13:48 Go to next message
Bill Mair is currently offline Bill MairFriend
Messages: 72
Registered: July 2009
Member
I need the server to authenticate using SPNEGO as all the users in the enterprise LAN are managed in Windows AD.

How can I change the configuration to have all connections SPNEGO authenticated?

It also seems like the authentication "Valve" (org.apache.catalina.authenticator.SpnegoAuthenticator) can only be added to a "Context" element and there is no such element in the standard configuration.

What would I have to do to have the "/admin" pages protected by a "memberOf" query against LDAP (Windows AD)?

I've seen examples for tomcat where the Realm is a "org.apache.catalina.realm.JNDIRealm" for LDAP authorization queries.
Re: How do I configure SPNEGO authentication? [message #1731355 is a reply to message #1731351] Wed, 04 May 2016 14:25 Go to previous messageGo to next message
GianMaria Romanato is currently offline GianMaria RomanatoFriend
Messages: 49
Registered: November 2015
Member
Hi Bill,

If I am not mistaken you can add valves inside the <host> element of the global tomcat-server.xml files, for example:

<Host appBase="" autoDeploy="false" createDirs="false" deployOnStartup="false" name="localhost" unpackWARs="false">
 <Valve className="org.apache.catalina.valves.AccessLogValve" directory="serviceability/logs/access" pattern="%h %l %u %t '%r' %s %b - %I" prefix="localhost_access_log." resolveHosts="false" suffix=".txt"/>



Hope this helps.
GianMaria.
Re: How do I configure SPNEGO authentication? [message #1731360 is a reply to message #1731355] Wed, 04 May 2016 15:50 Go to previous messageGo to next message
Bill Mair is currently offline Bill MairFriend
Messages: 72
Registered: July 2009
Member
Hi GianMaria,

If I try that I get: "Configuration error: Must be attached to a Context".

The LDAP Realm on the other hand appears to initialise and connect to Windows AD.

I think I'll have to grab the source for the splash or the admin bundles and change their "web.xml" files to test them with SPNEGO authentication (instead of BASIC) and then see if I can get the LDAP based authorization to work.

If there was a way to replace the web.xml for a bundle at runtime that would be awesome but I fear that that isn't possible.
Re: How do I configure SPNEGO authentication? [message #1731376 is a reply to message #1731360] Wed, 04 May 2016 17:01 Go to previous messageGo to next message
Violeta Georgieva is currently offline Violeta GeorgievaFriend
Messages: 276
Registered: October 2010
Senior Member
Hi,

What do you think about providing a context.xml for that application?
You can specify the Valve in the context.xml.
You can check the documentation [1].

Regards,
Violeta

[1] https://www.eclipse.org/virgo/documentation/virgo-documentation-3.6.4.RELEASE/docs/virgo-user-guide/htmlsingle/virgo-user-guide.html#configuring-tomcat
-> Context Configuration
Re: How do I configure SPNEGO authentication? [message #1731467 is a reply to message #1731376] Thu, 05 May 2016 16:21 Go to previous message
Bill Mair is currently offline Bill MairFriend
Messages: 72
Registered: July 2009
Member
I've managed to get it all working.

The "Context" and "Valve" definition in tomcat-server.xml are not required.

Somehow tomcat finds the right class when SPNEGO is defined as the <auth-method> in the bundle's "web.xml".

I then used tomcat's org.apache.catalina.realm.JNDIRealm class to do the authorization with LDAP against Windows AD.

In my case, the <role-name> has to match the name of the group that the user must be a member of. I used the default "cn" for this.

The next hurdle in my Virgo migration is now been complete. Very Happy

I have some of my bundles now migrated to being Virgo bundles in eclipse, the server connections are secured with TLS (that part was easy), the users are authenticated using SPNEGO (Kerberos) and authorized via LDAP (Windows AD).

So now that the ground work is done, it is time to migrate a complete application and see how everything pans out.

[Updated on: Thu, 05 May 2016 16:22]

Report message to a moderator

Previous Topic:Undelopying a Spring MVC bundle also leads to undeploying the other bundles
Next Topic:HttpService and ServiceTracker
Goto Forum:
  


Current Time: Sat Sep 22 06:50:07 GMT 2018

Powered by FUDForum. Page generated in 0.01749 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top