• 200 likes • 344 Views
JAAS AuthN Tokens in uPortal and Beyond. or “The JAAS Singer”. Our Environment. 3 Campuses / 2 Environments Tomcat 6.0.20 uPortal 3.1.1 Active Directory Kerberos authentication via JAAS. Why Active Directory?. AD offers authentication and group management
E N D
JAAS AuthN Tokens in uPortal and Beyond or “The JAAS Singer”
Our Environment • 3 Campuses / 2 Environments • Tomcat 6.0.20 • uPortal 3.1.1 • Active Directory Kerberos authentication via JAAS
Why Active Directory? • AD offers authentication and group management • Many campus services use it for authentication • Kerberos implementation is widely used
Why JAAS? • Already part of Java • Kerberos implementation is solid • Works with our AD/Kerberos • uPortal has some JAAS support
EWS / uPortal • Exchange Web Services (EWS) is a SOAP interface to Microsoft Exchange. • We were tasked with building a portlet to retrieve a summary of Email and Calendar items. • Each item should be a link that takes the user directly to it’s detailed view in Outlook Web Access.
Parameters • Utilize existing infrastructure. • Secure and easily managed Authentication.
#1 Utilize Existing Infrastructure • Both EWS and our uPortal instance authenticates against the AD. • EWS has a SOAP interface, Java supports SOAP web services via JAX-WS. • Some work was already started via imap2exchange. • Helped w/ JAX-WS bindings • Utilizes BASIC authentication
#2 Secure, Easily Managed AuthN • BASIC authN • Admin user on Exchange server • Secret keys between the portal and EWS server • Kerberos tickets?
Kerberos Tickets and SPNego! • Krb tickets are generated by Active Directory • Opaque and unique • SPNego (Simple and Protected GSSAPI NEGOtiation mechanism) • Krb over HTTP • Built in to EWS’ DNA • Supported by all major browsers
uPortal and SPNego via JAAS/GSSAPI • OOB JAASSecurityContext • allows authN via JAAS • does not hold on to the Kerberos ticket • Thanks to uPortal being open source • saw why it wasn’t • more importantly, showed what had to happen to make it hold on to it • Implemented our own JAASSecurityContext
uPortal and SPNego via JAAS/GSSAPI • Portlets need to be able to access this attribute • use the portlet API (PortletRequest.getAttribute) • developed our own RequestAttributeService and used the portlet container spring context file to inject it into uPortal! • Now, IPerson attributes are available to portlets without needing any additional API.
Using the Kerberos Ticket • Still faced a couple of challenges • Generate a SPNego token • put it on the HTTP header of the SOAP request the right way
EnterJAASmine • JAASminewas built out of frustration • there are FEW good resources on GSSAPI/SPNego usage in Java • API is under-documented and tutorials are too basic • JAASminetakes what we learned and makes it easy
JAASmine • Lightweight “wrapper” for JAAS/GSSAPI • Client code for web services that want to authenticate using SPNego tokens • Server code for handling verification and validation of SPNego tokens
JAASmineand EWS authN • From our portlet, we could get the kerberos ticket • Pass it to theJAASmineclient to generate SPNego • Next, put it on the header of the HTTP SOAP request (WWW-Authenticate)
Beyond uPortal • JAASmineserver components are used for authenticating to our Kuali Rice instances (both the web app and soon the SOAP services) • set up is low impact • configure JAAS • configure Kerberos • configure a servlet filter
Beyond uPortal • More web services • Kerberos/Browser to server? It’s possible (and ideal)…
References • SPNego - http://goo.gl/ECVHs • GSSAPI - http://goo.gl/XPLJF • JAASmine- http://goo.gl/DM2GD • imap2exchange - http://goo.gl/IkAZL
Thank You! • Tim Carroll • Andy Gherna