diff --git a/build.gradle b/build.gradle index f622ee5..d28ab20 100644 --- a/build.gradle +++ b/build.gradle @@ -207,6 +207,7 @@ configure(rootProject) { doctype: 'book', numbered: '', 'spring-version' : springVersion, + 'spring-security-version' : springSecurityVersion, revnumber : project.version } diff --git a/docs/src/reference/asciidoc/appendix.adoc b/docs/src/reference/asciidoc/appendix.adoc index 017ab27..e807c49 100644 --- a/docs/src/reference/asciidoc/appendix.adoc +++ b/docs/src/reference/asciidoc/appendix.adoc @@ -3,6 +3,16 @@ :numbered!: +[appendix] +== Material Used in this Document +Dummy UserDetailsService used in samples because we don't have a real +user source. + +[source,java,indent=0] +---- +include::samples/DummyUserDetailsService.java[tags=snippetA] +---- + [appendix] == Crash Course to Kerberos In any authentication process there are usually a three parties @@ -21,7 +31,7 @@ one which really brings everything together and thus is the most critical component in your environment. Because of this it is also considered as a single point of failure. -Initially when `Kerberos` environment is setup and domain users +Initially when `Kerberos` environment is setup and domain user principals created into to a database, encryption keys are also created. These encryption keys are based on shared secrets(i.e. user password) and actual passwords are never kept in a clear text. @@ -32,7 +42,7 @@ Interestingly there is no communication between a `resource` and a image:images/drawio-kerb-cc2.png[] -When client wants to authenticate itself with a resource it first +When client wants to authenticate itself with a `resource` it first needs to communicate with a `KDC`. `Client` will craft a special package which contains encrypted and unencrypted parts. Unencrypted part contains i.e. information about a user and encrypted part other @@ -40,7 +50,7 @@ information which is part of a protocol. `Client` will encrypt package data with its own key. When `KDC` receives this authentication package from a client it -checks who this client claims to be from an unencrypted part and based +checks who this `client` claims to be from an unencrypted part and based on that information it uses `client` decryption key it already have in its database. If this decryption is succesfull `KDC` knows that this `client` is the one it claims to be. @@ -66,8 +76,8 @@ received service ticket to a service which then thinks that I don't know anything about this guy but he have me an authentication ticket. What `service` can do next is try to decrypt that ticket and if that operation is succesfull it knows that only other party who knows my -credentials is the `KDC` and because I trust him I can also trust this -client claiming to be who he is. +credentials is the `KDC` and because I trust him I can also trust that +this client is a one he claims to be. [appendix] == Setup Kerberos Environments @@ -75,6 +85,7 @@ Doing a production setup of Kerberos environment is out of scope of this document but this appendix provides some help to get you started for setting up needed components for development. +[[setupmitkerberos]] === Setup MIT Kerberos First action is to setup a new realm and a database. @@ -144,7 +155,17 @@ policy Enter password for principal "user1@EXAMPLE.ORG": Re-enter password for principal "user1@EXAMPLE.ORG": Principal "user1@EXAMPLE.ORG" created. +---- +If you like you can create a keytab file for this user. + +[source,text,indent=0] +---- +kadmin: ktadd -k /tmp/user1.keytab user1@EXAMPLE.ORG +Entry for principal user1@EXAMPLE.ORG with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/user1.keytab. +Entry for principal user1@EXAMPLE.ORG with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/tmp/user1.keytab. +Entry for principal user1@EXAMPLE.ORG with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/user1.keytab. +Entry for principal user1@EXAMPLE.ORG with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/tmp/user1.keytab. ---- Lets create a service ticket for tomcat and export credentials to a @@ -164,7 +185,7 @@ Entry for principal HTTP/neo.example.org@EXAMPLE.ORG with kvno 2, encryption typ Entry for principal HTTP/neo.example.org@EXAMPLE.ORG with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/tmp/tomcat2.keytab. ---- - +[[setupwinkerberos]] === Setup Windows Domain Controller This was tested using `Windows Server 2012 R2` @@ -214,5 +235,88 @@ PS C:\> ktpass /out c:\tomcat.keytab /mapuser tomcat@EXAMPLE.ORG /princ HTTP/neo This appendix provides generic information about troubleshooting errors and problems. +[IMPORTANT] +==== +If you think environment and configuration is correctly setup, do +double check and ask other person to check possible obvious mistakes +or typos. Kerberos setup is generally very brittle and it is not +always very easy to debug where the problem lies. +==== +[source,text] +---- +GSSException: Failure unspecified at GSS-API level (Mechanism level: +Invalid argument (400) - Cannot find key of appropriate type to +decrypt AP REP - RC4 with HMAC) +---- + +If you see abore error indicating missing key type, this will happen +with two different use cases. Firstly your JVM may not support +appropriate encryption type or it is disabled in your `krb5.conf` +file. + +[source,text] +---- +default_tkt_enctypes = rc4-hmac +default_tgs_enctypes = rc4-hmac +---- + +Second case is less obvious and hard to track because it will lead +into same error. This specific `GSSException` is throws also if you +simply don't have a required encryption key which then may be caused +by a misconfiguration in your kerberos server or a simply typo in your +principal. + +[appendix] +[[browserspnegoconfig]] +== Configure Browsers for Spnego Negotiation + +=== Firefox +Complete following steps to ensure that your Firefox browser is +enabled to perform Spnego authentication. + +- Open Firefox. +- At address field, type *about:config*. +- In filter/search, type *negotiate*. +- Parameter *network.negotiate-auth.trusted-uris* may be set to + default *https://* which doesn't work for you. Replace this with + your server address. + +=== Chrome + +With Google Chrome you generally need to set command-line parameters +order to white list servers with Chrome will negotiate. + +[source,text] +---- +--auth-server-whitelist="*.example.com" +--auth-negotiate-delegate-whitelist="*.example.com" +---- + +You can see which policies are enable by typing *chrome://policy/* +into Chrome's address bar. + +With Linux Chrome will also read policy files from +`/etc/opt/chrome/policies/managed` directory. + +.mypolicy.json +[source,json] +---- +{ + "AuthServerWhitelist" : "*.example.org", + "AuthNegotiateDelegateWhitelist" : "*.example.org", + "DisableAuthNegotiateCnameLookup" : true, + "EnableAuthNegotiatePort" : true +} +---- + +=== Internet Explorer +Complete following steps to ensure that your Internet Explorer browser +is enabled to perform Spnego authentication. + +- Open Internet Explorer. +- Click *Tools > Intenet Options > Security* tab. +- In *Local intranet* section make sure your server is trusted by i.e. + adding it into a list. + diff --git a/docs/src/reference/asciidoc/images/ff1.png b/docs/src/reference/asciidoc/images/ff1.png new file mode 100644 index 0000000..97ba5e7 Binary files /dev/null and b/docs/src/reference/asciidoc/images/ff1.png differ diff --git a/docs/src/reference/asciidoc/images/ff2.png b/docs/src/reference/asciidoc/images/ff2.png new file mode 100644 index 0000000..bf3f250 Binary files /dev/null and b/docs/src/reference/asciidoc/images/ff2.png differ diff --git a/docs/src/reference/asciidoc/images/ff3.png b/docs/src/reference/asciidoc/images/ff3.png new file mode 100644 index 0000000..696cd9f Binary files /dev/null and b/docs/src/reference/asciidoc/images/ff3.png differ diff --git a/docs/src/reference/asciidoc/images/ie1.png b/docs/src/reference/asciidoc/images/ie1.png new file mode 100644 index 0000000..1fddc2e Binary files /dev/null and b/docs/src/reference/asciidoc/images/ie1.png differ diff --git a/docs/src/reference/asciidoc/images/ie2.png b/docs/src/reference/asciidoc/images/ie2.png new file mode 100644 index 0000000..e47df1e Binary files /dev/null and b/docs/src/reference/asciidoc/images/ie2.png differ diff --git a/docs/src/reference/asciidoc/index.adoc b/docs/src/reference/asciidoc/index.adoc index 624f8ff..6b62e80 100644 --- a/docs/src/reference/asciidoc/index.adoc +++ b/docs/src/reference/asciidoc/index.adoc @@ -17,5 +17,5 @@ include::introduction.adoc[] [[springandssk]] include::ssk.adoc[] - +include::samples.adoc[] include::appendix.adoc[] diff --git a/docs/src/reference/asciidoc/introduction.adoc b/docs/src/reference/asciidoc/introduction.adoc index 58aa2bd..facadd7 100644 --- a/docs/src/reference/asciidoc/introduction.adoc +++ b/docs/src/reference/asciidoc/introduction.adoc @@ -6,5 +6,6 @@ application developers to Kerberos concepts with Spring. == Requirements -Spring Security Kerberos {revnumber} is built and tested with JDK 7, Spring -Framework {spring-version}. +Spring Security Kerberos {revnumber} is built and tested with JDK 7, +Spring Security {spring-security-version} and Spring Framework {spring-version}. + diff --git a/docs/src/reference/asciidoc/preface.adoc b/docs/src/reference/asciidoc/preface.adoc index 129cdba..e3e756d 100644 --- a/docs/src/reference/asciidoc/preface.adoc +++ b/docs/src/reference/asciidoc/preface.adoc @@ -8,3 +8,8 @@ This reference documentations contains following parts. <> describes the usage of Spring Security Kerberos +<> describes the usage of Spring +Security Kerberos Samples + +<> generic support material + diff --git a/docs/src/reference/asciidoc/samples.adoc b/docs/src/reference/asciidoc/samples.adoc new file mode 100644 index 0000000..551f68f --- /dev/null +++ b/docs/src/reference/asciidoc/samples.adoc @@ -0,0 +1,169 @@ +[[springsecuritykerberossamples]] += Spring Security Kerberos Samples + +This part of the reference documentation is introducing samples +projects. Generally samples can be either compiled manually by +building main distribution from +https://github.com/spring-projects/spring-security-kerberos or using +nightly snapshots or actual release builds. + +- http://repo.spring.io/libs-snapshot/org/springframework/security/kerberos/ +- http://repo.spring.io/libs-release/org/springframework/security/kerberos/ + +[IMPORTANT] +==== +If you download and run sample from a maven repo it will not work +until a correct configuration is applied. See notes below for specific +samples. +==== + +<> sample for Windows environment + +<> sample using server side authenticator + +<> sample using ticket validation +with spnego and form + +<> sample using ticket +validation with spnego and form (xml config) + +[[samples-sec-server-win-auth]] +== Security Server Windows Auth Sample +Goals of this sample: + +- In windows environment, User will be able to logon to application + with Windows Active directory Credential which has been entered + during log on to windows. There should not be any ask for + userid/password credentials. +- In non-windows environment, User will be presented with a screen + to provide Active directory credentials. + +[source,yaml,indent=0] +---- +server: + port: 8080 + app: + ad-domain: EXAMPLE.ORG + ad-server: ldap://WIN-EKBO0EQ7TS7.example.org/ + service-principal: HTTP/neo.example.org@EXAMPLE.ORG + keytab-location: /tmp/tomcat.keytab +---- +In above you can see the default configuration for this sample. You +can override these settings using a normal Spring Boot tricks like +using command-line options or custom `application.yml` file. + +Run a server. +[source,text,subs="attributes"] +---- +$ java -jar sec-server-win-auth-{revnumber}.jar +---- + +[NOTE] +==== +See <> for more instructions how to work with +windows kerberos environment. +==== + +Login to `Windows 8.1` using domain credentials and access sample + +image:images/ie1.png[] +image:images/ie2.png[] + +Access sample application from a non windows vm and use domain +credentials manually. + +image:images/ff1.png[] +image:images/ff2.png[] +image:images/ff3.png[] + + +[[samples-sec-server-client-auth]] +== Security Server Side Auth Sample +This sample demonstrates how server is able to authenticate user +against kerberos environment using his credentials passed in via a +form login. + +Run a server. +[source,text,subs="attributes"] +---- +$ java -jar sec-server-client-auth-{revnumber}.jar +---- + +[source,yaml,indent=0] +---- +server: + port: 8080 +---- + +[[samples-sec-server-spnego-form-auth]] +== Security Server Spnego and Form Auth Sample +This sample demonstrates how a server can be configured to accept a +Spnego based negotiation from a browser while still being able to fall +back to a form based authentication. + +Using a `user1` principal <>, do a kerberos login +either using credentials. +[source,text] +---- +$ kinit user1 +Password for user1@EXAMPLE.ORG: + +$ klist +Ticket cache: FILE:/tmp/krb5cc_1000 +Default principal: user1@EXAMPLE.ORG + +Valid starting Expires Service principal +10/03/15 17:18:45 11/03/15 03:18:45 krbtgt/EXAMPLE.ORG@EXAMPLE.ORG + renew until 11/03/15 17:18:40 +---- + +or using a keytab file. + +[source,text] +---- +$ kinit -kt user1.keytab user1 + +$ klist +Ticket cache: FILE:/tmp/krb5cc_1000 +Default principal: user1@EXAMPLE.ORG + +Valid starting Expires Service principal +10/03/15 17:25:03 11/03/15 03:25:03 krbtgt/EXAMPLE.ORG@EXAMPLE.ORG + renew until 11/03/15 17:25:03 +---- + +Run a server. +[source,text,subs="attributes"] +---- +$ java -jar sec-server-spnego-form-auth-{revnumber}.jar +---- + +Now you should be able to open your browser and let it do Spnego +authentication with existing ticket. + +[NOTE] +==== +See <> for more instructions for configuring +browsers to use Spnego. +==== + +[source,yaml,indent=0] +---- +server: + port: 8080 +app: + service-principal: HTTP/neo.example.org@EXAMPLE.ORG + keytab-location: /tmp/tomcat.keytab +---- + +[[samples-sec-server-spnego-form-auth-xml]] +== Security Server Spnego and Form Auth Xml Sample +This is a same sample than <> but +using xml based configuration instead of JavaConfig. + +Run a server. +[source,text,subs="attributes"] +---- +$ java -jar sec-server-spnego-form-auth-xml-{revnumber}.jar +---- + diff --git a/docs/src/reference/asciidoc/samples/AuthProviderConfig.xml b/docs/src/reference/asciidoc/samples/AuthProviderConfig.xml index c69f6f0..82d79f2 100644 --- a/docs/src/reference/asciidoc/samples/AuthProviderConfig.xml +++ b/docs/src/reference/asciidoc/samples/AuthProviderConfig.xml @@ -9,9 +9,10 @@ http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> - - - + + + + diff --git a/docs/src/reference/asciidoc/samples/SpnegoConfig.xml b/docs/src/reference/asciidoc/samples/SpnegoConfig.xml index 603caf1..b5a7546 100644 --- a/docs/src/reference/asciidoc/samples/SpnegoConfig.xml +++ b/docs/src/reference/asciidoc/samples/SpnegoConfig.xml @@ -4,60 +4,60 @@ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security" xmlns:context="http://www.springframework.org/schema/context" - xsi:schemaLocation="http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd - http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd - http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd"> + xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd"> - - - - + + + + + + + + - + + + + - - - + + + + + + + + - - - + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - + class="org.springframework.security.extensions.kerberos.docs.DummyUserDetailsService" /> diff --git a/spring-security-kerberos-core/src/test/java/org/springframework/security/extensions/kerberos/docs/AuthProviderConfig.java b/spring-security-kerberos-core/src/test/java/org/springframework/security/extensions/kerberos/docs/AuthProviderConfig.java index f3950f2..9e9767d 100644 --- a/spring-security-kerberos-core/src/test/java/org/springframework/security/extensions/kerberos/docs/AuthProviderConfig.java +++ b/spring-security-kerberos-core/src/test/java/org/springframework/security/extensions/kerberos/docs/AuthProviderConfig.java @@ -1,3 +1,18 @@ +/* + * Copyright 2015 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.springframework.security.extensions.kerberos.docs; import org.springframework.context.annotation.Bean; @@ -6,11 +21,6 @@ import org.springframework.security.config.annotation.authentication.builders.Au import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity; -import org.springframework.security.core.authority.AuthorityUtils; -import org.springframework.security.core.userdetails.User; -import org.springframework.security.core.userdetails.UserDetails; -import org.springframework.security.core.userdetails.UserDetailsService; -import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.extensions.kerberos.KerberosAuthenticationProvider; import org.springframework.security.extensions.kerberos.SunJaasKerberosClient; @@ -19,49 +29,41 @@ import org.springframework.security.extensions.kerberos.SunJaasKerberosClient; @EnableWebMvcSecurity public class AuthProviderConfig extends WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .authorizeRequests() - .antMatchers("/", "/home").permitAll() - .anyRequest().authenticated() - .and() - .formLogin() - .loginPage("/login").permitAll() - .and() - .logout() - .permitAll(); - } + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .authorizeRequests() + .antMatchers("/", "/home").permitAll() + .anyRequest().authenticated() + .and() + .formLogin() + .loginPage("/login").permitAll() + .and() + .logout() + .permitAll(); + } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - auth - .authenticationProvider(kerberosAuthenticationProvider()); - } + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + auth + .authenticationProvider(kerberosAuthenticationProvider()); + } - @Bean - public KerberosAuthenticationProvider kerberosAuthenticationProvider() { - KerberosAuthenticationProvider provider = new KerberosAuthenticationProvider(); - SunJaasKerberosClient client = new SunJaasKerberosClient(); - client.setDebug(true); - provider.setKerberosClient(client); - provider.setUserDetailsService(dummyUserDetailsService()); - return provider; - } + @Bean + public KerberosAuthenticationProvider kerberosAuthenticationProvider() { + KerberosAuthenticationProvider provider = + new KerberosAuthenticationProvider(); + SunJaasKerberosClient client = new SunJaasKerberosClient(); + client.setDebug(true); + provider.setKerberosClient(client); + provider.setUserDetailsService(dummyUserDetailsService()); + return provider; + } - @Bean - public DummyUserDetailsService dummyUserDetailsService() { - return new DummyUserDetailsService(); - } - - static class DummyUserDetailsService implements UserDetailsService { - - public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { - return new User(username, "notUsed", true, true, true, true, - AuthorityUtils.createAuthorityList("ROLE_USER")); - } - - } + @Bean + public DummyUserDetailsService dummyUserDetailsService() { + return new DummyUserDetailsService(); + } } //end::snippetA[] diff --git a/spring-security-kerberos-core/src/test/java/org/springframework/security/extensions/kerberos/docs/AuthProviderConfig.xml b/spring-security-kerberos-core/src/test/java/org/springframework/security/extensions/kerberos/docs/AuthProviderConfig.xml index c69f6f0..82d79f2 100644 --- a/spring-security-kerberos-core/src/test/java/org/springframework/security/extensions/kerberos/docs/AuthProviderConfig.xml +++ b/spring-security-kerberos-core/src/test/java/org/springframework/security/extensions/kerberos/docs/AuthProviderConfig.xml @@ -9,9 +9,10 @@ http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> - - - + + + + diff --git a/spring-security-kerberos-core/src/test/java/org/springframework/security/extensions/kerberos/docs/DummyUserDetailsService.java b/spring-security-kerberos-core/src/test/java/org/springframework/security/extensions/kerberos/docs/DummyUserDetailsService.java new file mode 100644 index 0000000..66bbae0 --- /dev/null +++ b/spring-security-kerberos-core/src/test/java/org/springframework/security/extensions/kerberos/docs/DummyUserDetailsService.java @@ -0,0 +1,35 @@ +/* + * Copyright 2015 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.security.extensions.kerberos.docs; + +import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.core.userdetails.UsernameNotFoundException; + +//tag::snippetA[] +public class DummyUserDetailsService implements UserDetailsService { + + @Override + public UserDetails loadUserByUsername(String username) + throws UsernameNotFoundException { + return new User(username, "notUsed", true, true, true, true, + AuthorityUtils.createAuthorityList("ROLE_USER")); + } + +} +//end::snippetA[] diff --git a/spring-security-kerberos-core/src/test/java/org/springframework/security/extensions/kerberos/docs/SpnegoConfig.java b/spring-security-kerberos-core/src/test/java/org/springframework/security/extensions/kerberos/docs/SpnegoConfig.java index 93fd4b8..816546a 100644 --- a/spring-security-kerberos-core/src/test/java/org/springframework/security/extensions/kerberos/docs/SpnegoConfig.java +++ b/spring-security-kerberos-core/src/test/java/org/springframework/security/extensions/kerberos/docs/SpnegoConfig.java @@ -1,6 +1,20 @@ +/* + * Copyright 2015 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.springframework.security.extensions.kerberos.docs; -import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.io.FileSystemResource; @@ -9,11 +23,6 @@ import org.springframework.security.config.annotation.authentication.builders.Au import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity; -import org.springframework.security.core.authority.AuthorityUtils; -import org.springframework.security.core.userdetails.User; -import org.springframework.security.core.userdetails.UserDetails; -import org.springframework.security.core.userdetails.UserDetailsService; -import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.extensions.kerberos.KerberosAuthenticationProvider; import org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider; import org.springframework.security.extensions.kerberos.SunJaasKerberosClient; @@ -27,93 +36,83 @@ import org.springframework.security.web.authentication.www.BasicAuthenticationFi @EnableWebMvcSecurity public class SpnegoConfig extends WebSecurityConfigurerAdapter { - @Value("${app.service-principal}") - private String servicePrincipal; + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .exceptionHandling() + .authenticationEntryPoint(spnegoEntryPoint()) + .and() + .authorizeRequests() + .antMatchers("/", "/home").permitAll() + .anyRequest().authenticated() + .and() + .formLogin() + .loginPage("/login").permitAll() + .and() + .logout() + .permitAll() + .and() + .addFilterBefore( + spnegoAuthenticationProcessingFilter(authenticationManagerBean()), + BasicAuthenticationFilter.class); + } - @Value("${app.keytab-location}") - private String keytabLocation; + @Override + protected void configure(AuthenticationManagerBuilder auth) + throws Exception { + auth + .authenticationProvider(kerberosAuthenticationProvider()) + .authenticationProvider(kerberosServiceAuthenticationProvider()); + } - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .exceptionHandling() - .authenticationEntryPoint(spnegoEntryPoint()) - .and() - .authorizeRequests() - .antMatchers("/", "/home").permitAll() - .anyRequest().authenticated() - .and() - .formLogin() - .loginPage("/login").permitAll() - .and() - .logout() - .permitAll() - .and() - .addFilterBefore( - spnegoAuthenticationProcessingFilter(authenticationManagerBean()), - BasicAuthenticationFilter.class); - } + @Bean + public KerberosAuthenticationProvider kerberosAuthenticationProvider() { + KerberosAuthenticationProvider provider = + new KerberosAuthenticationProvider(); + SunJaasKerberosClient client = new SunJaasKerberosClient(); + client.setDebug(true); + provider.setKerberosClient(client); + provider.setUserDetailsService(dummyUserDetailsService()); + return provider; + } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - auth - .authenticationProvider(kerberosAuthenticationProvider()) - .authenticationProvider(kerberosServiceAuthenticationProvider()); - } + @Bean + public SpnegoEntryPoint spnegoEntryPoint() { + return new SpnegoEntryPoint("/login"); + } - @Bean - public KerberosAuthenticationProvider kerberosAuthenticationProvider() { - KerberosAuthenticationProvider provider = new KerberosAuthenticationProvider(); - SunJaasKerberosClient client = new SunJaasKerberosClient(); - client.setDebug(true); - provider.setKerberosClient(client); - provider.setUserDetailsService(dummyUserDetailsService()); - return provider; - } + @Bean + public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter( + AuthenticationManager authenticationManager) { + SpnegoAuthenticationProcessingFilter filter = + new SpnegoAuthenticationProcessingFilter(); + filter.setAuthenticationManager(authenticationManager); + return filter; + } - @Bean - public SpnegoEntryPoint spnegoEntryPoint() { - return new SpnegoEntryPoint("/login"); - } + @Bean + public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() { + KerberosServiceAuthenticationProvider provider = + new KerberosServiceAuthenticationProvider(); + provider.setTicketValidator(sunJaasKerberosTicketValidator()); + provider.setUserDetailsService(dummyUserDetailsService()); + return provider; + } - @Bean - public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter( - AuthenticationManager authenticationManager) { - SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter(); - filter.setAuthenticationManager(authenticationManager); - return filter; - } + @Bean + public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() { + SunJaasKerberosTicketValidator ticketValidator = + new SunJaasKerberosTicketValidator(); + ticketValidator.setServicePrincipal("HTTP/servicehost.example.org@EXAMPLE.ORG"); + ticketValidator.setKeyTabLocation(new FileSystemResource("/tmp/service.keytab")); + ticketValidator.setDebug(true); + return ticketValidator; + } - @Bean - public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() { - KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider(); - provider.setTicketValidator(sunJaasKerberosTicketValidator()); - provider.setUserDetailsService(dummyUserDetailsService()); - return provider; - } - - @Bean - public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() { - SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator(); - ticketValidator.setServicePrincipal(servicePrincipal); - ticketValidator.setKeyTabLocation(new FileSystemResource(keytabLocation)); - ticketValidator.setDebug(true); - return ticketValidator; - } - - @Bean - public DummyUserDetailsService dummyUserDetailsService() { - return new DummyUserDetailsService(); - } - - static class DummyUserDetailsService implements UserDetailsService { - - public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { - return new User(username, "notUsed", true, true, true, true, - AuthorityUtils.createAuthorityList("ROLE_USER")); - } - - } + @Bean + public DummyUserDetailsService dummyUserDetailsService() { + return new DummyUserDetailsService(); + } } //end::snippetA[] diff --git a/spring-security-kerberos-core/src/test/java/org/springframework/security/extensions/kerberos/docs/SpnegoConfig.xml b/spring-security-kerberos-core/src/test/java/org/springframework/security/extensions/kerberos/docs/SpnegoConfig.xml index 603caf1..b5a7546 100644 --- a/spring-security-kerberos-core/src/test/java/org/springframework/security/extensions/kerberos/docs/SpnegoConfig.xml +++ b/spring-security-kerberos-core/src/test/java/org/springframework/security/extensions/kerberos/docs/SpnegoConfig.xml @@ -4,60 +4,60 @@ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security" xmlns:context="http://www.springframework.org/schema/context" - xsi:schemaLocation="http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd - http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd - http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd"> + xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd"> - - - - + + + + + + + + - + + + + - - - + + + + + + + + - - - + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - + class="org.springframework.security.extensions.kerberos.docs.DummyUserDetailsService" /> diff --git a/spring-security-kerberos-samples/build.gradle b/spring-security-kerberos-samples/build.gradle index b3c301e..1a1151a 100644 --- a/spring-security-kerberos-samples/build.gradle +++ b/spring-security-kerberos-samples/build.gradle @@ -12,7 +12,7 @@ project('sec-server-spnego-form-auth') { description = 'Security Server Spnego and Form Auth Sample' } -project('sec-server-spnego-form-auth') { +project('sec-server-spnego-form-auth-xml') { description = 'Security Server Spnego and Form Auth Xml Sample' }