Junior Member
Active directory, kerberos and all that jaas
Anybody have a working example of the "authorityGranter" implementation for JaasAuthenticationProvider?
Specifically, populating grantedAuthorities via ActiveDirectory?
I can authenticate fine via Jaas/Kerberos but when I attempt to search Active Directory to retrieve the user roles, my attempts fail with kerberos credential errors.
Googled till I'm schmoogled
Senior Member
The Jaas stuff is there to connect Acegi to Jaas. What are you using to connect Jaas to Active Directory?
You might also consider using the acegi ldap support to authenticate with Active Directory.
Junior Member
My JAAS settings:What are you using to connect Jaas to Active Directory?
Tomcat is launched with -Djavax.security.auth.useSubjectCredsOnly=falseHTML Code:Lites { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=false useTicketCache=false storeKey=true debug=true; }; com.sun.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required; };
Ray,
From the above, you can see I'm not connecting anything in JAAS to the Active Directory. I've read the tutorial on JAAS authorization but I'm not getting it..., I don't understand how the KerberosPrincipal delivered to the authorityGranter will carry along the grantedAuthorities from the Active Directory lookup.
My approach to deliver this requirement was to implement the TestAuthorityGranter section of the JaasAuthenticationProvider javadoc to use a FilterBasedLdapUserSearch bean. http://www.acegisecurity.org/acegi-s...tyGranter.html
But what would be ideal would be for the auth/authz requirement to be delivered with a JaasAuthenticationProvider solution with all Kerberos/AD settings defined on the server.
Anything you can do to outline the solution would greatly appreciated.
- Steve
Senior Member
Well you're on the right course. The AuthorityGranter interface is there for that purpose. You provide an implementation of AuthorityGranter that uses the Principal to generate a Set of ROLEs to grant.
I really have no idea what type of Principal the Krb5LoginModule provides. You may be able to downcast it and get some more information from it. Or you'll have to do something like you're talking about where you go dig in LDAP for the information.
Other than that using the FilterBasedLdapUserSearch or use the Spring LDAP support... http://www.springframework.org/ldap
Junior Member
KerberosPrincipal is what is returned.I really have no idea what type of Principal the Krb5LoginModule provides.
Junior Member
Steve, can you paste your applicationContext.xml ? I cannot make spring-security authenticate using kerberos. All the time I'm getting aOriginally Posted by steve_sicherheit
and my AuthorityGranter never gets called.Code:org.springframework.security.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
Here is mine:
Any idea?Code:<security:global-method-security secured-annotations="enabled" /> <security:authentication-manager alias="_authenticationManager"/> <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager"> <property name="providers"> <list> <ref local="jaasAuthenticationProvider" /> </list> </property> </bean> <security:authentication-provider user-service-ref="userDetailsService" /> <security:user-service id="userDetailsService"> <security:user password="secret" name="fooBar" authorities="ROLE_KRBRS_AUTHENTICATED"/> </security:user-service> <bean id="jaasAuthenticationProvider" class="org.springframework.security.providers.jaas.JaasAuthenticationProvider"> <security:custom-authentication-provider /> <property name="loginConfig" value="file:c://jaas.conf" /> <property name="loginContextName" value="JaasSample" /> <property name="callbackHandlers"> <list> <bean class="org.springframework.security.providers.jaas.JaasNameCallbackHandler" /> <bean class="org.springframework.security.providers.jaas.JaasPasswordCallbackHandler" /> </list> </property> <property name="authorityGranters"> <list> <bean class="com.mypackage.KerberosAuthorityGranter" /> </list> </property> </bean>
Posting Permissions
