| <html><head> |
| <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> |
| <title>Spnego Support</title><link rel="stylesheet" type="text/css" href="css/docbook.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><meta name="keywords" content="jetty, servlet, servlet-api, cometd, http, websocket, eclipse, maven, java, server, software"><link rel="home" href="index.html" title="Jetty"><link rel="up" href="configuring-security.html" title="Chapter 7. Configuring Security"><link rel="prev" href="jaas-support.html" title="JAAS Support"><link rel="next" href="configuring-jsp.html" title="Chapter 8. Configuring JSP Support"><link xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" rel="shortcut icon" href="images/favicon.ico"><link rel="stylesheet" href="css/highlighter/foundation.css"><script src="js/highlight.pack.js"></script><script> |
| hljs.initHighlightingOnLoad(); |
| </script><link type="text/css" rel="stylesheet" href="css/font-awesome/font-awesome.min.css"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><table xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><tr><td style="width: 25%"><a href="http://www.eclipse.org/jetty"><img src="images/jetty-header-logo.png" alt="Jetty Logo"></a><br><span style="font-size: small"> |
| Version: 9.3.28.v20191105</span></td><td style="width: 50%"></td></tr></table><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Spnego Support</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="jaas-support.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a> </td><th width="60%" align="center">Chapter 7. Configuring Security<br><a accesskey="p" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></th><td width="20%" align="right"> <a accesskey="n" href="configuring-jsp.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr></table><hr></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="jetty-callout"><h5 class="callout"><a href="http://www.webtide.com/">Contact the core Jetty developers at |
| <span class="website">www.webtide.com</span></a></h5><p> |
| private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... |
| scalability guidance for your apps and Ajax/Comet projects ... development services for sponsored feature development |
| </p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="spnego-support"></a>Spnego Support</h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="section"><a href="spnego-support.html#_configuring_jetty_and_spnego">Configuring Jetty and Spnego</a></span></dt><dt><span class="section"><a href="spnego-support.html#_configuring_firefox">Configuring Firefox</a></span></dt><dt><span class="section"><a href="spnego-support.html#_configuring_internet_explorer">Configuring Internet Explorer</a></span></dt></dl></div><p>Simple and Protected GSSAPI Negotiation Mechanism (Spnego) is a way for users to be seamlessly authenticated when running on a Windows or Active Directory based network. |
| Jetty supports this type of authentication and authorization through the JDK (which has been enabled since the later versions of Java 6 and 7). |
| Also important to note is that this is an <span class="emphasis"><em>incredibly</em></span> fragile setup where everything needs to be configured just right for things to work, otherwise it can fail in fun and exciting, not to mention obscure, ways.</p><p>There is a substantial amount of configuration and testing required to enable this feature as well as knowledge and access to central systems on a Windows network such as the Active Domain Controller and the ability to create and maintain service users.</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_configuring_jetty_and_spnego"></a>Configuring Jetty and Spnego</h3></div></div></div><p>To run with Spengo enabled the following command line options are required:</p><div class="screenexample"><pre class="screen">-Djava.security.krb5.conf=/path/to/jetty/etc/krb5.ini \ |
| -Djava.security.auth.login.config=/path/to/jetty/etc/spnego.conf \ |
| -Djavax.security.auth.useSubjectCredsOnly=false</pre></div><p>For debugging the Spengo authentication the following options are very helpful:</p><div class="screenexample"><pre class="screen">-Dorg.eclipse.jetty.LEVEL=debug \ |
| -Dsun.security.spnego.debug=all</pre></div><p>Spengo Authentication must be enabled in the webapp in the following way. |
| The name of the role will be different for your network.</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code> <security-constraint> |
| <web-resource-collection> |
| <web-resource-name>Secure Area</web-resource-name> |
| <url-pattern>/secure/me/*</url-pattern> |
| </web-resource-collection> |
| <auth-constraint> |
| <!-- this is the domain that the user is a member of --> |
| <role-name>MORTBAY.ORG</role-name> |
| </auth-constraint> |
| </security-constraint> |
| <login-config> |
| <auth-method>SPNEGO</auth-method> |
| <realm-name>Test Realm</realm-name> |
| <!-- optionally to add custom error page --> |
| <spnego-login-config> |
| <spengo-error-page>/loginError.html?param=foo</spnego-error-page> |
| </spnego-login-config> |
| </login-config></code></pre><p>A corresponding <code class="literal">UserRealm</code> needs to be created either programmatically if embedded, via the <code class="literal">jetty.xml</code> or in a context file for the webapp.</p><p>This is what the configuration within a Jetty xml file would look like.</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code> <Call name="addBean"> |
| <Arg> |
| <New class="org.eclipse.jetty.security.SpnegoLoginService"> |
| <Set name="name">Test Realm</Set> |
| <Set name="config"><Property name="jetty.home" default="."/>/etc/spnego.properties</Set> |
| </New> |
| </Arg> |
| </Call></code></pre><p>This is what the configuration within a context xml file would look like.</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code> <Get name="securityHandler"> |
| <Set name="loginService"> |
| <New class="org.eclipse.jetty.security.SpnegoLoginService"> |
| <Set name="name">Test Realm</Set> |
| <Set name="config"> |
| <SystemProperty name="jetty.home" default="."/>/etc/spnego.properties |
| </Set> |
| </New> |
| </Set> |
| <Set name="checkWelcomeFiles">true</Set> |
| </Get></code></pre><p>There are a number of important configuration files with S3pnego that are required. The default values for these configuration files from this |
| test example are found in the <code class="literal">/etc</code> folder of the Jetty distribution.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">spnego.properties</span></dt><dd>configures the user realm with runtime properties</dd><dt><span class="term">krb5.ini</span></dt><dd>configures the underlying kerberos setup</dd><dt><span class="term">spnego.conf</span></dt><dd>configures the glue between gssapi and kerberos</dd></dl></div><p>It is important to note that the keytab file referenced in the <code class="literal">krb5.ini</code> and the <code class="literal">spengo.conf</code> files needs to contain the keytab for the <code class="literal">targetName</code> for the http server. |
| To do this use a process similar to this:</p><p>On the Windows Active Domain Controller run:</p><div class="screenexample"><pre class="screen">$ setspn -A HTTP/linux.mortbay.org ADUser</pre></div><p>To create the keytab file use the following process:</p><div class="screenexample"><pre class="screen">$ ktpass -out c:\dir\krb5.keytab -princ HTTP/linux.mortbay.org@MORTBAY.ORG -mapUser ADUser -mapOp set -pass ADUserPWD -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL</pre></div><p>This step will give you the keytab file which should then be copied to the machine running the http server and referenced from the configuration files. |
| For our testing we put the keytab into the <code class="literal">/etc</code> directory of Jetty and referenced it from there.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_configuring_firefox"></a>Configuring Firefox</h3></div></div></div><p>The follows steps have been required to inform Firefox that it should use a negotiation dialog to authenticate.</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Browse to about:config and agree to the warnings</li><li class="listitem">Search through to find the <span class="emphasis"><em>network</em></span> settings</li><li class="listitem">Set <code class="literal">network.negotiate-auth.delegation-uris</code> to <a class="link" href="http://,https://" target="_top">http://,https://</a></li><li class="listitem">Set <code class="literal">network.negotiate-auth.trusted-uris</code> to <a class="link" href="http://,https://" target="_top">http://,https://</a></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_configuring_internet_explorer"></a>Configuring Internet Explorer</h3></div></div></div><p>The follows steps have been required to inform Internet Explorer that it should use a negotiation dialog to authenticate.</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Tools → Options → Security → Local Intranet → Sites (everything should be checked here)</li><li class="listitem">Tools → Options → Security → Local Intranet → Sites → Advanced (add url to server (http:// and/or https:// use the hostname!)</li><li class="listitem">Tools → Options → Security → Local Intranet → Sites → Advanced → Close</li><li class="listitem">Tools → Options → Security → Local Intranet → Sites → Ok</li><li class="listitem">Tools → Options → Advanced → Security (in the checkbox list)</li><li class="listitem">Locate and check <span class="emphasis"><em>Enable Integrated Windows Authentication</em></span></li><li class="listitem">Tools → Options → Advanced → Security → Ok</li><li class="listitem">Close IE then reopen and browse to your Spengo protected resource</li></ol></div><div class="blockquote"><blockquote class="blockquote"><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><i class="fa fa-asterisk" aria-hidden="true"></i> Note</h3><p>You must go to the hostname and not the IP. |
| If you go to the IP it will default to NTLM authentication…​the following conditions must be true for Spnego authentication to work: |
| * You must be within the Intranet Zone of the network |
| * Accessing the server using a Hostname rather than IP |
| * Integrated Windows Authentication in IE is enabled and the host is trusted in Firefox |
| * The server is not local to the browser, it can’t be running on localhost |
| * The client’s Kerberos system is authenticated to a domain controller</p></div></blockquote></div></div></div><script type="text/javascript"> |
| SyntaxHighlighter.all() |
| </script><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="jaas-support.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a> </td><td width="20%" align="center"><a accesskey="u" href="configuring-security.html"><i class="fa fa-chevron-up" aria-hidden="true"></i> Top</a></td><td width="40%" align="right"> <a accesskey="n" href="configuring-jsp.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr><tr><td width="40%" align="left" valign="top">JAAS Support </td><td width="20%" align="center"><a accesskey="h" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></td><td width="40%" align="right" valign="top"> Chapter 8. Configuring JSP Support</td></tr></table></div><p xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><div class="jetty-callout"> |
| See an error or something missing? |
| <span class="callout"><a href="http://github.com/eclipse/jetty.project">Contribute to this documentation at |
| <span class="website"><i class="fa fa-github" aria-hidden="true"></i> Github!</span></a></span><span style="float: right"><i>(Generated: 2019-11-05)</i></span></div></p></body></html> |