Jaspic ServerAuthModule委托给JAAS Krb5LoginModule [英] Jaspic ServerAuthModule delegating to JAAS Krb5LoginModule

问题描述

我必须编写一个自定义的Jaspic ServerAuthModule(需要将专有的身份验证Cookie添加到HTTP响应和HTTP请求中，才能传播到App Server上运行的应用程序).验证必须使用Kerberos SPNEGO完成.

I have to write a custom Jaspic ServerAuthModule (which needs to add a proprietary Authentication Cookie to the HTTP Response AND HTTP Request to be propagated to the applications running on the App Server). The Authentication must be done using Kerberos, SPNEGO.

要使用的应用服务器是JBOSS EAP 6.4.x

The Application Server to be used is JBOSS EAP 6.4.x

我设法通过使用JAAS Krb5LoginModule来获得认证.

I managed to get the Authentication using the JAAS Krb5LoginModule working.

我使用的JBOSS EAP Standone.xml :

The JBOSS EAP Standone.xml I use:

  <security-domain name="host" cache-type="default">
    <authentication>
      <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
          <module-option name="debug" value="true"/>
          <module-option name="principal" value="HTTP/macbookAirRCH@EXAMPLE.COM"/>
          <module-option name="storeKey" value="true"/>
          <module-option name="useKeyTab" value="true"/>
          <module-option name="doNotPrompt" value="true"/>
          <module-option name="keyTab" value="/Users/jet/Downloads/kerberos/macbookAirRCH.keytab"/>
      </login-module>
    </authentication>
  </security-domain>
  <security-domain name="SPNEGO" cache-type="default">
    <authentication>
      <login-module code="SPNEGO" flag="required">
          <module-option name="serverSecurityDomain" value="host"/>
      </login-module>
    </authentication>
    <mapping>
      <mapping-module code="SimpleRoles" type="role">
          <module-option name="user@EXAMPLE.COM" value="User,Admin"/>
      </mapping-module>
    </mapping>
  </security-domain>

jboss-web.xml :

 <jboss-web>
   <security-domain>SPNEGO</security-domain>
   <valve>
       <class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>
   </valve>
   <context-root>kerberosREST</context-root>
 </jboss-web>

我还使用以下配置设法使定制的JASPI模块(extends org.jboss.as.web.security.jaspi.modules.WebServerAuthModule)正常工作:

I also managed to get a customized JASPI Module working (extends org.jboss.as.web.security.jaspi.modules.WebServerAuthModule) using the following configuration:

<security-domain name="testDomain" cache-type="default">
   <authentication-jaspi>
      <login-module-stack name="lm-stack">
         <login-module code="SPNEGO" flag="required">
            <module-option name="serverSecurityDomain" value="host"/>
         </login-module>
      </login-module-stack>
      <auth-module code="ch.test.jaspic.CustomServerAuthModule" flag="required" login-module-stack-ref="lm-stack"/>
    </authentication-jaspi>
       <mapping>
          <mapping-module code="SimpleRoles" type="role">
             <module-option name="user@EXAMPLE.COM" value="User,Admin"/>
             </mapping-module>
          </mapping>
 </security-domain>

jboss-web.xml :

<jboss-web>
   <security-domain>testDomain</security-domain>
   <valve>
       <class-name>org.jboss.as.web.security.jaspi.WebJASPIAuthenticator</class-name>
   </valve>
   <context-root>kerberosREST</context-root>
</jboss-web>

如何使用默认的JAAS Krb5LoginModule?

How can I use the default JAAS Krb5LoginModule?

我应该在jboss-web.xml中包含两个阀门吗? (顺序很重要)

Should I include the two valves in the jboss-web.xml? (the order is important)

jboss-web.xml :

<jboss-web>
   <security-domain>testDomain</security-domain>
   <valve>
       <class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>
   </valve>
   <valve>
       <class-name>org.jboss.as.web.security.jaspi.WebJASPIAuthenticator</class-name>
   </valve>
   <context-root>kerberosREST</context-root>
</jboss-web>

非常感谢

推荐答案

就我的理解(一点)，Valve大致上是一个较低级别的，特定于容器且在容器范围内的Servlet Filter对应对象. .因此，您要尝试执行的操作确实应该与问题中提出的管道(Valve序列)一起使用. NegotiationAuthenticator完成实际身份验证后，WebJASPIAuthenticator(最终由它委派给ServerAuthModule(SAM))将检查是否通过了身份验证的 caller Krb5Principal(或其他 JBoss对其进行包装)已与前者的请求相关联，并相应地设置了cookie.

To my (little) understanding, Valves are, roughly speaking, a lower-level, container-specific and container-wide Servlet Filter counterpart. Therefore what you are trying to do should indeed work with the pipeline (Valve sequence) presented in your question. When NegotiationAuthenticator has completed the actual authentication, WebJASPIAuthenticator--the ServerAuthModule (SAM) ultimately delegated to by it--would check whether an authenticated caller Krb5Principal (or whatever Principal JBoss wraps it with) has been associated with the request by the former, and set the cookies accordingly.

我想知道为什么您什至只愿意使用简单的Filter(并且摆脱一些JBoss特定的配置作为奖励)时，甚至愿意只使用JASPIC来设置cookie.或者，也可以选择，如果您愿意放弃任何身份验证机制可移植性的痕迹，请尝试扩展NegotiationAuthenticator，覆盖其authenticate(...)方法并从那里设置cookie，具体取决于委派给重写实现的结果

I wonder why you are even willing to use JASPIC merely for setting cookies though, when you could just use a simple Filter instead (and get rid of some of that JBoss-specific configuration as a bonus). Or you could alternatively, if you were willing to give up any trace of authentication mechanism portability, try to extend NegotiationAuthenticator, overriding its authenticate(...) method and setting the cookies from there, depending on the outcome of a delegation to the overriden implementation.

最后，有一种适当的(尽管更困难)与供应商无关的方法，您可以放下NegotiationAuthenticator并将其功能重新实现为SAM.谁知道呢?甚至可能在某个地方存在一个开源SPNEGO SAM.对于Kerberos身份验证，您可以通过委派现有的Krb5LoginModule ¹ 来重用它-如dexter meyers 写的-符合JASPIC的 LoginModule桥接器配置文件(规范的第6章).当然，不应该直接使用LoginModule s(LM)，而是通过LoginContext s来使用，而这又需要一些Configuration来找到正确的LM并使用它进行初始化.您是选择要重用JBoss的Configuration(并因此保留各自的专有XML)，提供自己的持久性表示形式，还是只是在自定义的LoginContext/Configuration中对其进行硬编码.

And finally there's the proper (albeit harder) vendor-neutral approach, where you would drop NegotiationAuthenticator and re-implement its functionality as a SAM. Who knows--an open-source SPNEGO SAM might even exist somewhere out there. For Kerberos authentication you could reuse the existing Krb5LoginModule¹, by delegating to it--as dexter meyers wrote--in accordance with JASPIC's LoginModule Bridge Profile (chapter 6 of the specification). LoginModules (LMs) are of course not supposed to be used directly, but via LoginContexts, which in turn need some Configuration to find the right LM through and initialize it with. Whether you are going to reuse JBoss's Configuration (and therefore retain the respective proprietary XML), provide your own persistent representation, or just hard-code it in a custom LoginContext / Configuration is your choice.

_{¹ 理想情况下，您也可能会在第二个SAM中重新实现LM，从而从单独的ServerAuthContext协调对两者的调用.这样做会将专有身份验证相关的配置减少为零，但代价是增加了复杂性并需要维护代码.}

_{¹ Ideally you would re-implement the LM too, perhaps in a second SAM, orchestrating calls to the two from a separate ServerAuthContext. Doing so would reduce the proprietary authentication-related configuration to zero, at the cost of added complexity and code to maintain.}

这篇关于Jaspic ServerAuthModule委托给JAAS Krb5LoginModule的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！