...
- Set up the following parameters before starting the server.
set JAVA_OPTS=-Djava.security.krb5.conf=C:\winnt\krb5.ini -Dcom.ibm.security.jgss.debug=all -Dcom.ibm.security.krb5.Krb5Debug=all -Djavax.security.auth.useSubjectCredsOnly=false -Dorg.apache.tomcat.config.NEGOTIATE=true
Make sure you set the "org.apache.tomcat.config.NEGOTIATE=true" otherwise you will not be able to use spnego. - Start the server with "geronimo.bat run" command.
- Create a realm for spnego. You can create a realm for fallback once spnego fails. For reference here is a sample spnego realm. This
realm is a combination of spnego and properties realm. In case your spnego authentication fails the authentication will fallback on
properties realm.Code Block title spnego_properties_realm.xml borderStyle solid <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2"> <environment> <moduleId> <groupId>console.realm</groupId> <artifactId>SpnegoTest</artifactId> <version>1.0</version> <type>car</type> </moduleId> <dependencies> <dependency> <groupId>org.apache.geronimo.framework</groupId> <artifactId>j2ee-security</artifactId> <type>car</type> </dependency> </dependencies> </environment> <gbean name="SpnegoTest" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <attribute name="realmName">SpnegoTest</attribute> <reference name="ServerInfo"> <name>ServerInfo</name> </reference> <xml-reference name="LoginModuleConfiguration"> <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0"> <log:login-module control-flag="SUFFICIENT" wrap-principals="false"> <log:login-domain-name>SpnegoTest</log:login-domain-name> <log:login-module-class>org.apache.geronimo.security.realm.providers.SpnegoLoginModule</log:login-module-class> <log:option name="targetName">http/test.xyz.com</log:option> <log:option name="ldapUrl">ldap://ram1.xyz.com:389</log:option> <log:option name="ldapLoginName">ashish</log:option> <log:option name="ldapLoginPassword">ashish123</log:option> <log:option name="searchBase">DC=xyz,DC=COM</log:option> </log:login-module> <log:login-module control-flag="SUFFICIENT" wrap-principals="false"> <log:login-domain-name>demo-properties-realm</log:login-domain-name> <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class> <log:option name="usersURI">var/security/demo_users.properties</log:option> <log:option name="groupsURI">var/security/demo_groups.properties</log:option> </log:login-module> </log:login-config> </xml-reference> </gbean> </module>
...