Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-640

Jboss Negotiation fallback to login page if NTLM token is received or the user is not present in active directory.

    XMLWordPrintable

Details

    • Hide

      edit web.xml as
      <web-resource-collection>
      <web-resource-name>Restricted</web-resource-name>
      <url-pattern>*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>*</role-name>
      </auth-constraint>

      <login-config>
      <auth-method>SPNEGO</auth-method>
      <realm-name>SPNEGO</realm-name>
      </login-config>

      edit jboss-web.xml
      <security-domain>java:/jaas/SPNEGO</security-domain>

      edit login-config.xml
      <application-policy name="host">
      <authentication>
      <login-module code="com.sun.security.auth.module.Krb5LoginModule"
      flag="required">
      <module-option name="storeKey">true</module-option>
      <module-option name="useKeyTab">true</module-option>
      <module-option name="principal">%princpal%</module-option>
      <module-option name="keyTab">%keytab path%</module-option>
      <module-option name="doNotPrompt">true</module-option>
      <module-option name="debug">true</module-option>
      </login-module>
      </authentication>
      </application-policy>

      <application-policy name="SPNEGO">
      <authentication>
      <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule">
      <module-option name="password-stacking">useFirstPass</module-option>
      <module-option name="serverSecurityDomain">host</module-option>
      </login-module>
      </authentication>
      </application-policy>

      hit login page with the user authenticated using active directory you will be able to login.

      Now hit login page with user that is not present in active directory

      401 error thrown.
      Instead of 401 user should be able to view login form.

      Show
      edit web.xml as <web-resource-collection> <web-resource-name>Restricted</web-resource-name> <url-pattern>*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> <login-config> <auth-method>SPNEGO</auth-method> <realm-name>SPNEGO</realm-name> </login-config> edit jboss-web.xml <security-domain>java:/jaas/SPNEGO</security-domain> edit login-config.xml <application-policy name="host"> <authentication> <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required"> <module-option name="storeKey">true</module-option> <module-option name="useKeyTab">true</module-option> <module-option name="principal">%princpal%</module-option> <module-option name="keyTab">%keytab path%</module-option> <module-option name="doNotPrompt">true</module-option> <module-option name="debug">true</module-option> </login-module> </authentication> </application-policy> <application-policy name="SPNEGO"> <authentication> <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule"> <module-option name="password-stacking">useFirstPass</module-option> <module-option name="serverSecurityDomain">host</module-option> </login-module> </authentication> </application-policy> hit login page with the user authenticated using active directory you will be able to login. Now hit login page with user that is not present in active directory 401 error thrown. Instead of 401 user should be able to view login form.
    • Compatibility/Configuration

    Description

      We are trying to configure the single sign on using jboss negotiation.
      We are able to login successfully if the user is present in active directory.
      But in case if user is not present in active directory users, it throw 401 error page.
      Instead of 401 we want user to access login form and authenticate user using different login module.

      In our case we have login page we authenticate user on that page.
      If we receive user credentials we login the user without asking for password.
      Now if the user credentials are not received then we want user to open login form present
      on login page, but before that is throws 401 error.

      We have configure the login-config.xml, web.xml and jboss-web.xml as per the documentation.
      Also defined
      <web-resource-collection>
      <web-resource-name>Restricted</web-resource-name>
      <url-pattern>/Request</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      in web.xml

      Our application is access through Request servlet.

      Attachments

        Activity

          People

            rhn-support-dehort Derek Horton
            hrishi_jira Hrishi Salvi (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: