JAAS AuthN Tokens in uPortal

joeneetscompetitiveΑσφάλεια

3 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

86 εμφανίσεις

JAAS
AuthN

Tokens in
uPortal

and Beyond

or “The JAAS Singer”

Our Environment


3 Campuses / 2 Environments


Tomcat 6.0.20


uPortal

3.1.1


Active Directory Kerberos authentication via
JAAS

Why Active Directory?


AD offers authentication and group
management


Many campus services use it for
authentication


Kerberos implementation is widely used

Why JAAS?


Already part of Java


Kerberos implementation is solid


Works with our AD/Kerberos


uPortal

has some JAAS support

EWS /
uPortal


Exchange Web Services (EWS) is a SOAP
interface to Microsoft Exchange.


We were tasked with building a
portlet

to
retrieve a summary of Email and Calendar
items.


Each item should be a link that takes the user
directly to it’s detailed view in Outlook Web
Access.


Parameters


Utilize existing infrastructure.


Secure and easily managed Authentication.

#1 Utilize Existing Infrastructure


Both EWS and our
uPortal

instance
authenticates against the AD.


EWS has a SOAP interface, Java supports SOAP
web services via JAX
-
WS.


Some work was already started via
imap2exchange.


Helped
w
/ JAX
-
WS bindings


Utilizes BASIC authentication




#2 Secure, Easily Managed
AuthN


BASIC
authN


Admin user on Exchange server


Secret keys between the portal and EWS
server


Kerberos tickets?


Kerberos Tickets and
SPNego
!


Krb

tickets are generated by Active Directory


Opaque and unique


SPNego

(Simple and Protected GSSAPI
NEGOtiation

mechanism)


Krb

over HTTP


Built in to EWS’ DNA


Supported by all major browsers

uPortal

and
SPNego

via JAAS/GSSAPI


OOB
JAASSecurityContext


allows
authN

via JAAS


does not hold on to the Kerberos ticket


Thanks to
uPortal

being open source


saw why it wasn’t


more importantly, showed what had to happen to
make it hold on to it


Implemented our own
JAASSecurityContext

uPortal

and
SPNego

via JAAS/GSSAPI


Portlets

need to be able to access this
attribute


use the
portlet

API (
PortletRequest.getAttribute
)


developed our own
RequestAttributeService

and
used the
portlet

container spring context file to
inject it into
uPortal
!


Now,
IPerson

attributes are available to
portlets

without needing any additional API.

Using the Kerberos Ticket


Still faced a couple of challenges


Generate a
SPNego

token


put it on the HTTP header of the SOAP request the
right way


Enter
JAASmine


JAASmine

was built out of frustration


there are FEW good resources on GSSAPI/
SPNego

usage in Java


API is under
-
documented and tutorials are too
basic


JAASmine

takes what we learned and makes it
easy

JAASmine


Lightweight “wrapper” for JAAS/GSSAPI


Client code for web services that want to
authenticate using
SPNego

tokens


Server code for handling verification and
validation of
SPNego

tokens


Success!

JAASmine

and EWS
authN


From our
portlet
, we could get the
kerberos

ticket


Pass it to the
JAASmine

client to generate
SPNego


Next, put it on the header of the HTTP SOAP
request (
WWW
-
Authenticate
)

Beyond
uPortal


JAASmine

server components are used for
authenticating to our
Kuali

Rice instances
(both the web app and soon the SOAP
services)


set up is low impact


configure JAAS


configure Kerberos


configure a
servlet

filter

Beyond
uPortal


More web services


Kerberos/Browser to server? It’s possible (and
ideal)…

References


SPNego

-

http://
goo.gl/ECVHs


GSSAPI
-

http://goo.gl/XPLJF


JAASmine

-

http://goo.gl/DM2GD


imap2exchange
-

http://goo.gl/IkAZL


Thank You!


Tim Carroll


Andy
Gherna