Versions Compared

Old Version 6

changes.mady.by.user Ashish Jain

Saved on

compared with

New Version 7

changes.mady.by.user Ashish Jain

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Set up the following parameters before starting the server.
    set JAVA_OPTS=-Djava.security.krb5.conf=C:\winnt\krb5.ini -Dcom.ibm.security.jgss.debug=all -Dcom.ibm.security.krb5.Krb5Debug=all -Djavax.security.auth.useSubjectCredsOnly=false -Dorg.apache.tomcat.config.NEGOTIATE=true
    Make sure you set the "org.apache.tomcat.config.NEGOTIATE=true" otherwise you will not be able to use spnego.
  • Start the server with "geronimo.bat run" command.
  • Create a realm for spnego. You can create a realm for fallback once spnego fails. For reference here is a sample spnego realm. This
    realm is a combination of spnego and properties realm. In case your spnego authentication fails the authentication will fallback on
    properties realm.
    Code Block
    titlespnego_properties_realm.xml
    borderStylesolid
    <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
    <environment>
        <moduleId>
            <groupId>console.realm</groupId>
            <artifactId>SpnegoTest</artifactId>
            <version>1.0</version>
            <type>car</type>
        </moduleId>
        <dependencies>
            <dependency>
                <groupId>org.apache.geronimo.framework</groupId>
                <artifactId>j2ee-security</artifactId>
                <type>car</type>
            </dependency>
        </dependencies>
    </environment>
    <gbean name="SpnegoTest" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <attribute name="realmName">SpnegoTest</attribute>
        <reference name="ServerInfo">
            <name>ServerInfo</name>
        </reference>
        <xml-reference name="LoginModuleConfiguration">
            <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
                <log:login-module control-flag="SUFFICIENT" wrap-principals="false">
                    <log:login-domain-name>SpnegoTest</log:login-domain-name>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.SpnegoLoginModule</log:login-module-class>
                    <log:option name="targetName">http/test.xyz.com</log:option>
                    <log:option name="ldapUrl">ldap://ram1.xyz.com:389</log:option>
		    <log:option name="ldapLoginName">ashish</log:option>
		    <log:option name="ldapLoginPassword">ashish123</log:option>
	            <log:option name="searchBase">DC=xyz,DC=COM</log:option>
                </log:login-module>
                <log:login-module control-flag="SUFFICIENT" wrap-principals="false">
                    <log:login-domain-name>demo-properties-realm</log:login-domain-name>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
                    <log:option name="usersURI">var/security/demo_users.properties</log:option>
                    <log:option name="groupsURI">var/security/demo_groups.properties</log:option>
                </log:login-module>
            </log:login-config>
        </xml-reference>
    </gbean>
</module>

...