Eclipse Community Forums: Virgo » How do I configure SPNEGO authentication?

Home » Eclipse Projects » Virgo » How do I configure SPNEGO authentication?(How to configure Virgo Tomcat Server 3.6.4 to use SPNEGO authentication with Windows AD)

How do I configure SPNEGO authentication? [message #1731351]

Wed, 04 May 2016 09:48

Eclipse User

I need the server to authenticate using SPNEGO as all the users in the enterprise LAN are managed in Windows AD.

How can I change the configuration to have all connections SPNEGO authenticated?

It also seems like the authentication "Valve" (org.apache.catalina.authenticator.SpnegoAuthenticator) can only be added to a "Context" element and there is no such element in the standard configuration.

What would I have to do to have the "/admin" pages protected by a "memberOf" query against LDAP (Windows AD)?

I've seen examples for tomcat where the Realm is a "org.apache.catalina.realm.JNDIRealm" for LDAP authorization queries.

Re: How do I configure SPNEGO authentication? [message #1731355 is a reply to message #1731351]

Wed, 04 May 2016 10:25

Eclipse User

Hi Bill,

If I am not mistaken you can add valves inside the <host> element of the global tomcat-server.xml files, for example:

<Host appBase="" autoDeploy="false" createDirs="false" deployOnStartup="false" name="localhost" unpackWARs="false">
 <Valve className="org.apache.catalina.valves.AccessLogValve" directory="serviceability/logs/access" pattern="%h %l %u %t '%r' %s %b - %I" prefix="localhost_access_log." resolveHosts="false" suffix=".txt"/>

Hope this helps.
GianMaria.

Re: How do I configure SPNEGO authentication? [message #1731360 is a reply to message #1731355]

Wed, 04 May 2016 11:50

Eclipse User

Hi GianMaria,

If I try that I get: "Configuration error: Must be attached to a Context".

The LDAP Realm on the other hand appears to initialise and connect to Windows AD.

I think I'll have to grab the source for the splash or the admin bundles and change their "web.xml" files to test them with SPNEGO authentication (instead of BASIC) and then see if I can get the LDAP based authorization to work.

If there was a way to replace the web.xml for a bundle at runtime that would be awesome but I fear that that isn't possible.

Re: How do I configure SPNEGO authentication? [message #1731376 is a reply to message #1731360]

Wed, 04 May 2016 13:01

Eclipse User

Hi,

What do you think about providing a context.xml for that application?
You can specify the Valve in the context.xml.
You can check the documentation [1].

Regards,
Violeta

[1] https://www.eclipse.org/virgo/documentation/virgo-documentation-3.6.4.RELEASE/docs/virgo-user-guide/htmlsingle/virgo-user-guide.html#configuring-tomcat
-> Context Configuration

Re: How do I configure SPNEGO authentication? [message #1731467 is a reply to message #1731376]

Thu, 05 May 2016 12:21

Eclipse User

I've managed to get it all working.

The "Context" and "Valve" definition in tomcat-server.xml are not required.

Somehow tomcat finds the right class when SPNEGO is defined as the <auth-method> in the bundle's "web.xml".

I then used tomcat's org.apache.catalina.realm.JNDIRealm class to do the authorization with LDAP against Windows AD.

In my case, the <role-name> has to match the name of the group that the user must be a member of. I used the default "cn" for this.

The next hurdle in my Virgo migration is now been complete. Very Happy

I have some of my bundles now migrated to being Virgo bundles in eclipse, the server connections are secured with TLS (that part was easy), the users are authenticated using SPNEGO (Kerberos) and authorized via LDAP (Windows AD).

So now that the ground work is done, it is time to migrate a complete application and see how everything pans out.

[Updated on: Thu, 05 May 2016 12:22] by Moderator

Previous Topic:	Undelopying a Spring MVC bundle also leads to undeploying the other bundles
Next Topic:	HttpService and ServiceTracker

Goto Forum:

-=] Back to Top [=-

Current Time: Mon Apr 28 07:57:13 EDT 2025

.:: Contact :: Home ::.

Breadcrumbs

Sign up to our Newsletter