I can’t manage to configure my Ubuntu VM to single sign-on on my Spring Security web application under Spnego. Did I do anything wrong or am I missing something?
I already got to SSO on a Windows 7 VM, so I believe it’s Linux specific.
My configuration is detailed below.
Infra
I have four machines that run in two different hardware:
WIN-SRV2008.company.local
: the VM KDC running Windows Server 2008 (hardware A)TOMCAT.company.local
: running theTomcat 7
web application (hardware A)W7-CLIENT.company.local
: VM Windows 7 client which SSO works (hardware B)U-CLIENT.company.local
: VM Ubuntu 17.10.1 client which SSO doesn’t work (hardware B)
SPN
My SPN, krb5.ini
and login.conf
were based on this thread’s description.
Spnego
I basically followed Spring Security Kerberos – Reference Documentation, except removing form login, resulting on:
@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Value("${kerberos.service-principal}") private String servicePrincipal; @Value("${kerberos.keytab-location}") private String keytabLocation; @Override protected void configure(HttpSecurity http) throws Exception { AffirmativeBased affirmativeBased = new AffirmativeBased(Arrays.asList(new RoleVoter(),new WebExpressionVoter())); http .authorizeRequests().accessDecisionManager(affirmativeBased) .anyRequest().authenticated() .and() .httpBasic() .authenticationEntryPoint(entryPoint()) .and() .logout() .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .and() .addFilterBefore( spnegoAuthenticationProcessingFilter(authenticationManagerBean()), BasicAuthenticationFilter.class) .sessionManagement() .invalidSessionUrl("/login") .maximumSessions(1) .maxSessionsPreventsLogin(true) .sessionRegistry(sessionRegistry()); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth .authenticationProvider(kerberosAuthenticationProvider()) .authenticationProvider(kerberosServiceAuthenticationProvider()); } @Bean public SpnegoEntryPoint entryPoint() { return new SpnegoEntryPoint(); } @Bean public KerberosAuthenticationProvider kerberosAuthenticationProvider() { LoginKerberosAuthentication provider = new LoginKerberosAuthentication(); SunJaasKerberosClient client = new SunJaasKerberosClient(); client.setDebug(true); provider.setKerberosClient(client); provider.setUserDetailsService(usuarioDetailsService()); return provider; } @Bean public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter( AuthenticationManager authenticationManager) { SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter(); filter.setAuthenticationManager(authenticationManager); return filter; } @Bean public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() { KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider(); provider.setTicketValidator(sunJaasKerberosTicketValidator()); provider.setUserDetailsService(usuarioDetailsService()); return provider; } @Bean public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() { SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator(); ticketValidator.setServicePrincipal(servicePrincipal); ticketValidator.setKeyTabLocation(new FileSystemResource(keytabLocation)); ticketValidator.setDebug(true); return ticketValidator; } @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Bean public UsuarioDetailsService usuarioDetailsService() { return new UsuarioDetailsService(); }
Ubuntu client
To join the domain I followed the steps:
sudo apt-get install realmd krb5-user software-properties-common python-software-properties packagekit sudo realm join COMPANY.local -U 'administrator@COMPANY.LOCAL' -v
Until I got to generate kerberos ticket with:
kinit my_ubuntu_user@COMPANY.local
I actually checked cache with klist
, that outputed:
Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: my_ubuntu_user@COMPANY.local Valid starting Expires Service principal 30/10/2018 17:25:47 31/10/2018 03:25:47 krbtgt/COMPANY.local@COMPANY.local renew until 31/10/2018 17:25:43
And lastly, I authenticated successfully using:
sudo su my_ubuntu_user@COMPANY.local
SSO – the problem
When I try to access my application homepage using Firefox (with trusted sites config) just as I do with the Windows 7 client, I only get the 401 Negotiate header and no response token is sent.
Meaning that, when I input an actual url to SpnegoEntryPoint
constructor, I get redirected to this fallback.
Thank you in advance
Advertisement
Answer
Thanks to Samson’s comment I was able to make it work.
I was indeed switching to an empty cache by doing sudo su my_ubuntu_user@COMPANY.local
, what made my application login respond 401.