SES-36: More Kerberos sample configurations

spring-projects · Mar 4, 2010 · fa6dbfa · fa6dbfa
1 parent 20544c2
commit fa6dbfa
Show file tree

Hide file tree

Showing 8 changed files with 216 additions and 17 deletions.
diff --git a/spring-security-kerberos-sample/src/main/webapp/WEB-INF/sample-krb.conf b/spring-security-kerberos-sample/src/main/webapp/WEB-INF/sample-krb.conf
@@ -0,0 +1,6 @@
+[libdefaults]
+        default_realm = SPRINGSOURCE.COM
+[realms]
+ 		SPRINGSOURCE.COM = {
+                kdc = kdc.springsource.com
+        }
diff --git a/spring-security-kerberos-sample/src/main/webapp/WEB-INF/server-side-kerberos.xml b/spring-security-kerberos-sample/src/main/webapp/WEB-INF/server-side-kerberos.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
+
+	<!-- This configuration uses SPNEGO by default, but one could also use a form if he directly goes to /login.html -->
+	<sec:http>
+		<sec:intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_FULLY" />
+		<sec:form-login login-page="/login.html" default-target-url="/secure/index.jsp"/>
+	</sec:http>
+
+	<sec:authentication-manager alias="authenticationManager">
+		<sec:authentication-provider ref="kerberosAuthenticationProvider"/>
+	</sec:authentication-manager>
+
+	<bean id="kerberosAuthenticationProvider"  
+		class="org.springframework.security.extensions.kerberos.KerberosAuthenticationProvider">
+		<property name="kerberosClient">
+			<bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosClient">
+				<property name="debug" value="true"/>
+			</bean>
+		</property>
+		<property name="userDetailsService" ref="dummyUserDetailsService"/>
+	</bean>
+
+	<bean
+		class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig">
+		<property name="debug" value="true" />
+		<!-- You can point to a different kerberos config location here, if you don't want the default one -->
+		<!-- <property name="krbConfLocation" value="/etc/krb5.conf"/> -->
+	</bean>
+
+	<!--
+		Just returns the User authenticated by Kerberos and gives him the
+		ROLE_USER
+	-->
+	<bean id="dummyUserDetailsService"
+		class="org.springframework.security.extensions.kerberos.sample.DummyUserDetailsService" />
+</beans>
diff --git a/spring-security-kerberos-sample/src/main/webapp/WEB-INF/spnego-with-form-login.xml b/spring-security-kerberos-sample/src/main/webapp/WEB-INF/spnego-with-form-login.xml
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
+
+	<!-- This configuration uses SPNEGO by default, but one could also use a form if he directly goes to /login.html -->
+	<sec:http entry-point-ref="spnegoEntryPoint">
+		<sec:intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_FULLY" />
+		<sec:custom-filter ref="spnegoAuthenticationProcessingFilter"
+			position="BASIC_AUTH_FILTER" />
+		<sec:form-login login-page="/login.html" default-target-url="/secure/index.jsp"/>
+	</sec:http>
+
+	<bean id="spnegoEntryPoint"
+		class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />
+
+	<bean id="spnegoAuthenticationProcessingFilter"
+		class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
+		<property name="authenticationManager" ref="authenticationManager" />
+	</bean>
+
+	<sec:authentication-manager alias="authenticationManager">
+		<sec:authentication-provider ref="kerberosServiceAuthenticationProvider" /> <!-- Used with SPNEGO -->
+		<sec:authentication-provider user-service-ref="dummyUserDetailsService"/> <!-- Used with form login -->
+	</sec:authentication-manager>
+
+
+
+	<bean id="kerberosServiceAuthenticationProvider"
+		class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
+		<property name="ticketValidator">
+			<bean
+				class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
+				<property name="servicePrincipal" value="HTTP/web.springsource.com" />
+				<!-- Setting keyTabLocation to a classpath resource will most likely not work in a Java EE application Server -->
+				<!-- See the Javadoc for more information on that -->
+				<property name="keyTabLocation" value="/etc/web-springsource-com.keytab" />
+				<property name="debug" value="true" />
+			</bean>
+		</property>
+		<property name="userDetailsService" ref="dummyUserDetailsService" />
+	</bean>
+
+	<!-- This bean definition enables a very detailed Kerberos logging -->
+	<bean
+		class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig">
+		<property name="debug" value="true" />
+	</bean>
+
+	<!--
+		Just returns the User authenticated by Kerberos and gives him the
+		ROLE_USER
+	-->
+	<bean id="dummyUserDetailsService"
+		class="org.springframework.security.extensions.kerberos.sample.DummyUserDetailsService" />
+
+</beans>
diff --git a/...urity-kerberos-sample/src/main/webapp/WEB-INF/spnego-with-server-side-kerberos-option.xml b/...urity-kerberos-sample/src/main/webapp/WEB-INF/spnego-with-server-side-kerberos-option.xml
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
+
+	<!-- This configuration uses SPNEGO by default, but one could also use a form if he directly goes to /login.html -->
+	<sec:http entry-point-ref="spnegoEntryPoint">
+		<sec:intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_FULLY" />
+		<sec:custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
+		<sec:form-login login-page="/login.html" default-target-url="/secure/index.jsp"/>
+	</sec:http>
+
+	<bean id="spnegoEntryPoint"
+		class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />
+
+	<bean id="spnegoAuthenticationProcessingFilter"
+		class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
+		<property name="authenticationManager" ref="authenticationManager" />
+	</bean>
+
+	<sec:authentication-manager alias="authenticationManager">
+		<sec:authentication-provider ref="kerberosServiceAuthenticationProvider" /> <!-- Used with SPNEGO -->
+		<sec:authentication-provider ref="kerberosAuthenticationProvider"/> <!-- Used with form login -->
+	</sec:authentication-manager>
+
+	<bean id="kerberosAuthenticationProvider"  
+		class="org.springframework.security.extensions.kerberos.KerberosAuthenticationProvider">
+		<property name="kerberosClient">
+			<bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosClient">
+				<property name="debug" value="true"/>
+			</bean>
+		</property>
+		<property name="userDetailsService" ref="dummyUserDetailsService"/>
+	</bean>
+
+	<bean id="kerberosServiceAuthenticationProvider"
+		class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
+		<property name="ticketValidator">
+			<bean
+				class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
+				<property name="servicePrincipal" value="HTTP/web.springsource.com" />
+				<!-- Setting keyTabLocation to a classpath resource will most likely not work in a Java EE application Server -->
+				<!-- See the Javadoc for more information on that -->
+				<property name="keyTabLocation" value="/etc/web-springsource-com.keytab" />
+				<property name="debug" value="true" />
+			</bean>
+		</property>
+		<property name="userDetailsService" ref="dummyUserDetailsService" />
+	</bean>
+
+	<bean
+		class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig">
+		<property name="debug" value="true" />
+		<!-- You can point to a different kerberos config location here, if you don't want the default one -->
+		<!-- <property name="krbConfLocation" value="/etc/krb5.conf"/> -->
+	</bean>
+
+	<!--
+		Just returns the User authenticated by Kerberos and gives him the
+		ROLE_USER
+	-->
+	<bean id="dummyUserDetailsService"
+		class="org.springframework.security.extensions.kerberos.sample.DummyUserDetailsService" />
+
+</beans>
diff --git a/...mple/src/main/webapp/WEB-INF/security.xml → ...sample/src/main/webapp/WEB-INF/spnego.xml b/...mple/src/main/webapp/WEB-INF/security.xml → ...sample/src/main/webapp/WEB-INF/spnego.xml
@@ -22,30 +22,34 @@
 		<sec:authentication-provider ref="kerberosServiceAuthenticationProvider" />
 	</sec:authentication-manager>
 
+
+
 	<bean id="kerberosServiceAuthenticationProvider"
 		class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
 		<property name="ticketValidator">
 			<bean
 				class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
-				<property name="servicePrincipal" value="HTTP/WEB.FENETRES.MONKEYMACHINE.EU" />
-                <!-- Setting keyTabLocation to a classpath resource will most likely not work in a Java EE application Server -->
-                <!-- See the Javadoc for more information on that -->
-				<property name="keyTabLocation" value="classpath:http-web.keytab" />
-				<property name="debug" value="true"/>
+				<property name="servicePrincipal" value="HTTP/web.springsource.com" />
+				<!-- Setting keyTabLocation to a classpath resource will most likely not work in a Java EE application Server -->
+				<!-- See the Javadoc for more information on that -->
+				<property name="keyTabLocation" value="/etc/web-springsource-com.keytab" />
+				<property name="debug" value="true" />
 			</bean>
 		</property>
 		<property name="userDetailsService" ref="dummyUserDetailsService" />
 	</bean>
-
-	<!-- Just returns the User authenticated by Kerberos and gives him the ROLE_USER -->
-	<bean id="dummyUserDetailsService" class="org.springframework.security.extensions.kerberos.sample.DummyUserDetailsService"/>
 
-	<bean id="inMemoryUserDetailsService"
-		class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
-		<property name="userProperties">
-			<value>
-				mike@SECPOD.DE=notUsed,ROLE_ADMIN
-					</value>
-		</property>
+	<!-- This bean definition enables a very detailed Kerberos logging -->
+	<bean
+		class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig">
+		<property name="debug" value="true" />
 	</bean>
+
+	<!--
+		Just returns the User authenticated by Kerberos and gives him the
+		ROLE_USER
+	-->
+	<bean id="dummyUserDetailsService"
+		class="org.springframework.security.extensions.kerberos.sample.DummyUserDetailsService" />
+
 </beans>
diff --git a/spring-security-kerberos-sample/src/main/webapp/WEB-INF/web.xml b/spring-security-kerberos-sample/src/main/webapp/WEB-INF/web.xml
@@ -12,11 +12,15 @@
     </filter-mapping>
     <context-param>
 		<param-name>contextConfigLocation</param-name>
-		<param-value>/WEB-INF/security.xml</param-value>
+		<param-value>/WEB-INF/spnego.xml</param-value>
+<!--		<param-value>/WEB-INF/spnego-with-form-login.xml</param-value>-->
+<!--		<param-value>/WEB-INF/spnego-with-server-side-kerberos-option.xml</param-value>-->
+<!--		<param-value>/WEB-INF/server-side-kerberos.xml</param-value>	-->
 	</context-param>
 
 
-	<!-- Bootstraps the root web application context before servlet initialization -->
+	<!-- Bootstraps the root web application context before servlet initialization
+-->
 	<listener>
 		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
 	</listener>

diff --git a/spring-security-kerberos-sample/src/main/webapp/index.jsp b/spring-security-kerberos-sample/src/main/webapp/index.jsp
@@ -8,5 +8,8 @@
 </head>
 <body>
 <h1>Click <a href="secure/index.jsp">here</a> to attempt SPNEGO authentication.</h1>
+
+<h1>Click <a href="login.html">here</a> to got to the form based login.</h1>
+
 </body>
 </html>
diff --git a/spring-security-kerberos-sample/src/main/webapp/login.html b/spring-security-kerberos-sample/src/main/webapp/login.html
@@ -0,0 +1,18 @@
+<html><head><title>Login Page</title></head><body onload='document.f.j_username.focus();'>
+<h3>Login with Username and Password</h3><form name='f' action='/spring-security-kerberos-sample/j_spring_security_check' method='POST'>
+<ul>
+	<li>With "spnego-with-form-login.xml" active, you can enter any username and password is always "notUsed".</li>
+	<li>With "spnego-with-server-side-kerberos-option.xml" or  "server-side-kerberos.xml" active, you can enter any Kerberos user with the corresponding password.</li>
+	<li>The login doesn't work with "spnego.xml" active</li> 
+</ul>
+You can activate the different configurations in web.xml.
+
+
+ <table>
+    <tr><td>User:</td><td><input type='text' name='j_username' value=''></td></tr>
+    <tr><td>Password:</td><td><input type='password' name='j_password'/></td></tr>
+    <tr><td colspan='2'><input name="submit" type="submit"/></td></tr>
+    <tr><td colspan='2'><input name="reset" type="reset"/></td></tr>
+  </table>
+</form>
+</body></html>