1 / 20

JAAS AuthN Tokens in uPortal and Beyond

JAAS AuthN Tokens in uPortal and Beyond. or “The JAAS Singer”. Our Environment. 3 Campuses / 2 Environments Tomcat 6.0.20 uPortal 3.1.1 Active Directory Kerberos authentication via JAAS. Why Active Directory?. AD offers authentication and group management

kipling
Download Presentation

JAAS AuthN Tokens in uPortal and Beyond

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. JAAS AuthN Tokens in uPortal and Beyond or “The JAAS Singer”

  2. Our Environment • 3 Campuses / 2 Environments • Tomcat 6.0.20 • uPortal 3.1.1 • Active Directory Kerberos authentication via JAAS

  3. Why Active Directory? • AD offers authentication and group management • Many campus services use it for authentication • Kerberos implementation is widely used

  4. Why JAAS? • Already part of Java • Kerberos implementation is solid • Works with our AD/Kerberos • uPortal has some JAAS support

  5. EWS / uPortal • Exchange Web Services (EWS) is a SOAP interface to Microsoft Exchange. • We were tasked with building a portlet to retrieve a summary of Email and Calendar items. • Each item should be a link that takes the user directly to it’s detailed view in Outlook Web Access.

  6. Parameters • Utilize existing infrastructure. • Secure and easily managed Authentication.

  7. #1 Utilize Existing Infrastructure • Both EWS and our uPortal instance authenticates against the AD. • EWS has a SOAP interface, Java supports SOAP web services via JAX-WS. • Some work was already started via imap2exchange. • Helped w/ JAX-WS bindings • Utilizes BASIC authentication

  8. #2 Secure, Easily Managed AuthN • BASIC authN • Admin user on Exchange server • Secret keys between the portal and EWS server • Kerberos tickets?

  9. Kerberos Tickets and SPNego! • Krb tickets are generated by Active Directory • Opaque and unique • SPNego (Simple and Protected GSSAPI NEGOtiation mechanism) • Krb over HTTP • Built in to EWS’ DNA • Supported by all major browsers

  10. uPortal and SPNego via JAAS/GSSAPI • OOB JAASSecurityContext • allows authN via JAAS • does not hold on to the Kerberos ticket • Thanks to uPortal being open source • saw why it wasn’t • more importantly, showed what had to happen to make it hold on to it • Implemented our own JAASSecurityContext

  11. uPortal and SPNego via JAAS/GSSAPI • Portlets need to be able to access this attribute • use the portlet API (PortletRequest.getAttribute) • developed our own RequestAttributeService and used the portlet container spring context file to inject it into uPortal! • Now, IPerson attributes are available to portlets without needing any additional API.

  12. Using the Kerberos Ticket • Still faced a couple of challenges • Generate a SPNego token • put it on the HTTP header of the SOAP request the right way

  13. EnterJAASmine • JAASminewas built out of frustration • there are FEW good resources on GSSAPI/SPNego usage in Java • API is under-documented and tutorials are too basic • JAASminetakes what we learned and makes it easy

  14. JAASmine • Lightweight “wrapper” for JAAS/GSSAPI • Client code for web services that want to authenticate using SPNego tokens • Server code for handling verification and validation of SPNego tokens

  15. Success!

  16. JAASmineand EWS authN • From our portlet, we could get the kerberos ticket • Pass it to theJAASmineclient to generate SPNego • Next, put it on the header of the HTTP SOAP request (WWW-Authenticate)

  17. Beyond uPortal • JAASmineserver components are used for authenticating to our Kuali Rice instances (both the web app and soon the SOAP services) • set up is low impact • configure JAAS • configure Kerberos • configure a servlet filter

  18. Beyond uPortal • More web services • Kerberos/Browser to server? It’s possible (and ideal)…

  19. References • SPNego - http://goo.gl/ECVHs • GSSAPI - http://goo.gl/XPLJF • JAASmine- http://goo.gl/DM2GD • imap2exchange - http://goo.gl/IkAZL

  20. Thank You! • Tim Carroll • Andy Gherna

More Related