Configure the web app for Kerberos authentication using Tomcat

I am using windows authentication with tomcat 7

I have done with domain controller setup and tomcat instance setup
I am unable to configure my web app with tomcat
I mean I don't know what I have to change in web.xml, context.xml and server.xml

Copy the tomcat.keytab file created on the domain controller to $CATALINA_BASE/conf/tomcat.keytab.
Create the kerberos configuration file $CATALINA_BASE/conf/krb5.ini. The file used in this how-to contained:

    [libdefaults]
    default_realm = DEV.LOCAL
    default_keytab_name = FILE:c:\apache-tomcat-7.0.x\conf\tomcat.keytab
    default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    forwardable=true

    [realms]
    DEV.LOCAL = {
            kdc = win-dc01.dev.local:88
    }

The location of this file can be changed by setting the java.security.krb5.conf system property.
Create the JAAS login configuration file $CATALINA_BASE/conf/jaas.conf. The file used in this how-to contained:

    [domain_realm]
    dev.local= DEV.LOCAL
    .dev.local= DEV.LOCAL


    com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/win-tc01.dev.local@DEV.LOCAL"
    useKeyTab=true
    keyTab="c:/apache-tomcat-7.0.x/conf/tomcat.keytab"
    storeKey=true;
};

com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/win-tc01.dev.local@DEV.LOCAL"
    useKeyTab=true
    keyTab="c:/apache-tomcat-7.0.x/conf/tomcat.keytab"
    storeKey=true;
};

<login-config> <auth-method>SPNEGO</auth-method> </login-config> <security-role> <description>Users</description> <role-name>WebAppUsers</role-name> </security-role> <security-role> <description>Admins</description> <role-name>WebAppAdmins</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>Common Area</web-resource-name> <url-pattern>/common/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>WebAppUser</role-name> <role-name>WebAppAdmin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>

<?xml version='1.0' encoding='utf-8'?> <Server port="8005" shutdown="SHUTDOWN"> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off"/> <Listener className="org.apache.catalina.core.JasperListener"/> <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/> <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/> <Service name="Catalina"> <Connector port="8080" maxSavePostSize="2097152" URIEncoding="UTF-8" maxHttpHeaderSize="65536"/> <Engine name="Catalina" defaultHost="localhost"> <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://dc.mydomain.com:3268" userSubtree="true" userBase="cn=Users,dc=mydomain,dc=com" userSearch="(sAMAccountName={0})" userRoleName="memberOf" roleBase="cn=Users,dc=mydomain,dc=com" roleName="cn" roleSearch="(member={0})" roleSubtree="true" roleNested="true"/> <Host name="localhost" appBase="webapps"> <Context docBase="ROOT.war" path=""> <Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator" storeDelegatedCredential="true" /> </Context> </Host> </Engine> </Service> </Server>

Best Answer

Related Solutions

Java – Spring Security Kerberos + AD, Checksum Fail