From: markt Date: Tue, 29 Mar 2011 19:08:43 +0000 (+0000) Subject: Part 1 of SPNEGO/Windows authentication support. X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=00da28c6b008dd97ab10b68711bba7c926280675;p=tomcat7.0 Part 1 of SPNEGO/Windows authentication support. This adds authentication support but not authorisation. Some Realm refactoring is required to get authorisation working. SPNEGO is tricky to configure correctly. Some things I know will break it, some I suspect might. There is a long list of questions in the Javadoc that need to be tested. This authenticator started off as a patch by Michael Osipov. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1086683 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/java/org/apache/catalina/authenticator/Constants.java b/java/org/apache/catalina/authenticator/Constants.java index aaa649ff7..ae19fb12e 100644 --- a/java/org/apache/catalina/authenticator/Constants.java +++ b/java/org/apache/catalina/authenticator/Constants.java @@ -24,16 +24,23 @@ public class Constants { public static final String Package = "org.apache.catalina.authenticator"; // Authentication methods for login configuration + // Servlet spec schemes public static final String BASIC_METHOD = "BASIC"; public static final String CERT_METHOD = "CLIENT_CERT"; public static final String DIGEST_METHOD = "DIGEST"; public static final String FORM_METHOD = "FORM"; + // Vendor specific schemes + public static final String SPNEGO_METHOD = "SPNEGO"; // Form based authentication constants public static final String FORM_ACTION = "/j_security_check"; public static final String FORM_PASSWORD = "j_password"; public static final String FORM_USERNAME = "j_username"; + // SPNEGO authentication constants + public static final String DEFAULT_KEYTAB = "conf/tomcat.keytab"; + public static final String DEFAULT_SPN_CLASS = "HTTP"; + // Cookie name for single sign on support public static final String SINGLE_SIGN_ON_COOKIE = System.getProperty( diff --git a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java new file mode 100644 index 000000000..3719a6434 --- /dev/null +++ b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java @@ -0,0 +1,317 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.catalina.authenticator; + +import java.io.File; +import java.io.IOException; +import java.net.InetAddress; +import java.net.UnknownHostException; +import java.security.Principal; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; +import java.util.HashMap; +import java.util.Map; + +import javax.security.auth.Subject; +import javax.security.auth.login.AppConfigurationEntry; +import javax.security.auth.login.Configuration; +import javax.security.auth.login.LoginContext; +import javax.security.auth.login.LoginException; +import javax.servlet.http.HttpServletResponse; + +import org.apache.catalina.LifecycleException; +import org.apache.catalina.connector.Request; +import org.apache.catalina.deploy.LoginConfig; +import org.apache.catalina.realm.GenericPrincipal; +import org.apache.catalina.startup.Bootstrap; +import org.apache.catalina.util.Base64; +import org.apache.juli.logging.Log; +import org.apache.juli.logging.LogFactory; +import org.apache.tomcat.util.buf.ByteChunk; +import org.apache.tomcat.util.buf.MessageBytes; +import org.ietf.jgss.GSSContext; +import org.ietf.jgss.GSSCredential; +import org.ietf.jgss.GSSException; +import org.ietf.jgss.GSSManager; +import org.ietf.jgss.GSSName; + +/** + * A SPNEGO authenticator that uses the SPENGO/Kerberos support built in to Java + * 6. Successful Kerberos authentication depends on the correct configuration of + * multiple components. If the configuration is invalid, the error messages are + * often cryptic although a Google search will usually point you in the right + * direction. + *

+ * TODO: + *

+ *

+ * TBDs: + *

+ */ +public class SpnegoAuthenticator extends AuthenticatorBase { + + private static final Log log = LogFactory.getLog(SpnegoAuthenticator.class); + + protected String serviceKeyTab = Constants.DEFAULT_KEYTAB; + protected String spn = null; + + protected Subject serviceSubject = null; + + + @Override + protected String getAuthMethod() { + return Constants.SPNEGO_METHOD; + } + + + @Override + public String getInfo() { + return "org.apache.catalina.authenticator.SpnegoAuthenticator/1.0"; + } + + + public String getServiceKeyTab() { + return serviceKeyTab; + } + + + public void setServiceKeyTab(String serviceKeyTab) { + this.serviceKeyTab = serviceKeyTab; + } + + + public String getSpn() { + return spn; + } + + + public void setSpn(String spn) { + this.spn = spn; + } + + + @Override + protected void initInternal() throws LifecycleException { + super.initInternal(); + + // Service keytab needs to be an absolute file name + File serviceKeyTabFile = new File(serviceKeyTab); + if (!serviceKeyTabFile.isAbsolute()) { + serviceKeyTabFile = + new File(Bootstrap.getCatalinaBase(), serviceKeyTab); + } + + // SPN is HTTP/hostname + String serviceProvideName; + if (spn == null || spn.length() == 0) { + // Construct default + StringBuilder name = new StringBuilder(Constants.DEFAULT_SPN_CLASS); + name.append('/'); + try { + name.append(InetAddress.getLocalHost().getCanonicalHostName()); + } catch (UnknownHostException e) { + // TODO add a message + throw new LifecycleException(e); + } + serviceProvideName = name.toString(); + } else { + serviceProvideName = spn; + } + + LoginContext lc; + try { + lc = new LoginContext("", null, null, + new JaasConfig(serviceKeyTabFile.getAbsolutePath(), + serviceProvideName, log.isDebugEnabled())); + lc.login(); + serviceSubject = lc.getSubject(); + } catch (LoginException e) { + // TODO add a message + throw new LifecycleException(e); + } + } + + + @Override + public boolean authenticate(Request request, HttpServletResponse response, + LoginConfig config) throws IOException { + + // Have we already authenticated someone? + Principal principal = request.getUserPrincipal(); + String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE); + if (principal != null) { + if (log.isDebugEnabled()) + log.debug("Already authenticated '" + principal.getName() + "'"); + // Associate the session with any existing SSO session + if (ssoId != null) + associate(ssoId, request.getSessionInternal(true)); + return true; + } + + // Is there an SSO session against which we can try to reauthenticate? + if (ssoId != null) { + if (log.isDebugEnabled()) + log.debug("SSO Id " + ssoId + " set; attempting " + + "reauthentication"); + /* Try to reauthenticate using data cached by SSO. If this fails, + either the original SSO logon was of DIGEST or SSL (which + we can't reauthenticate ourselves because there is no + cached username and password), or the realm denied + the user's reauthentication for some reason. + In either case we have to prompt the user for a logon */ + if (reauthenticateFromSSO(ssoId, request)) + return true; + } + + MessageBytes authorization = + request.getCoyoteRequest().getMimeHeaders() + .getValue("authorization"); + + if (authorization != null) { + authorization.toBytes(); + ByteChunk authorizationBC = authorization.getByteChunk(); + if (authorizationBC.startsWithIgnoreCase("negotiate ", 0)) { + authorizationBC.setOffset(authorizationBC.getOffset() + 10); + // FIXME: Add trimming + // authorizationBC.trim(); + + ByteChunk decoded = new ByteChunk(); + Base64.decode(authorizationBC, decoded); + + try { + principal = Subject.doAs(serviceSubject, + new KerberosAuthAction(decoded.getBytes(), response)); + } catch (PrivilegedActionException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + + if (principal != null) { + register(request, response, principal, Constants.SPNEGO_METHOD, + principal.getName(), null); + return true; + } + } else { + response.setHeader("WWW-Authenticate", "Negotiate"); + } + } else { + response.setHeader("WWW-Authenticate", "Negotiate"); + } + response.sendError(HttpServletResponse.SC_UNAUTHORIZED); + return false; + } + + + private static class KerberosAuthAction + implements PrivilegedExceptionAction { + + private byte[] inToken; + private HttpServletResponse resp; + + public KerberosAuthAction(byte[] inToken, HttpServletResponse resp) { + this.inToken = inToken; + this.resp = resp; + } + + @Override + public Principal run() throws Exception { + + // Assume the GSSContext is stateless + // TODO: Confirm this assumption + GSSContext context = + GSSManager.getInstance().createContext((GSSCredential) null); + + Principal principal = null; + + if (inToken == null) { + throw new IllegalArgumentException("inToken cannot be null"); + } + + byte[] outToken = + context.acceptSecContext(inToken, 0, inToken.length); + + if (outToken == null) { + throw new GSSException(GSSException.DEFECTIVE_TOKEN); + } + + GSSName initiatorName = context.getSrcName(); + + if (context.isEstablished()) { + // TODO This (and a lot of the surrounding code) needs to move + // to RealmBase so authorisation will work. This is just a quick + // hack to get authentication working. + principal = new GenericPrincipal(initiatorName.toString(), null); + } + + // Send response token on success and failure + resp.setHeader("WWW-Authenticate", "Negotiate " + + Base64.encode(outToken)); + + context.dispose(); + return principal; + } + } + + + /** + * Provides the JAAS login configuration required to create + */ + private static class JaasConfig extends Configuration { + + private String keytab; + private String spn; + private boolean debug; + + public JaasConfig(String keytab, String spn, boolean debug) { + this.keytab = keytab; + this.spn = spn; + this.debug = debug; + } + + @Override + public AppConfigurationEntry[] getAppConfigurationEntry(String name) { + Map options = new HashMap(); + options.put("useKeyTab", "true"); + options.put("keyTab", keytab); + options.put("principal", spn); + options.put("storeKey", "true"); + options.put("doNotPrompt", "true"); + options.put("isInitiator", "false"); + options.put("debug", Boolean.toString(debug)); + + return new AppConfigurationEntry[] { + new AppConfigurationEntry( + "com.sun.security.auth.module.Krb5LoginModule", + AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, + options) }; + } + } +} diff --git a/java/org/apache/catalina/startup/Authenticators.properties b/java/org/apache/catalina/startup/Authenticators.properties index 922fa3776..a995844b2 100644 --- a/java/org/apache/catalina/startup/Authenticators.properties +++ b/java/org/apache/catalina/startup/Authenticators.properties @@ -18,3 +18,4 @@ CLIENT-CERT=org.apache.catalina.authenticator.SSLAuthenticator DIGEST=org.apache.catalina.authenticator.DigestAuthenticator FORM=org.apache.catalina.authenticator.FormAuthenticator NONE=org.apache.catalina.authenticator.NonLoginAuthenticator +SPNEGO=org.apache.catalina.authenticator.SpnegoAuthenticator \ No newline at end of file diff --git a/java/org/apache/catalina/util/Base64.java b/java/org/apache/catalina/util/Base64.java index fd4f3d0b2..7681672af 100644 --- a/java/org/apache/catalina/util/Base64.java +++ b/java/org/apache/catalina/util/Base64.java @@ -290,4 +290,85 @@ public final class Base64 } + /** + * Decodes Base64 data into octets + * + * @param base64DataBC Byte array containing Base64 data + * @param decodedDataBC The decoded data bytes + */ + public static void decode( ByteChunk base64DataBC, ByteChunk decodedDataBC) + { + int start = base64DataBC.getStart(); + int end = base64DataBC.getEnd(); + byte[] base64Data = base64DataBC.getBuffer(); + + decodedDataBC.recycle(); + + // handle the edge case, so we don't have to worry about it later + if(end - start == 0) { return; } + + int numberQuadruple = (end - start)/FOURBYTE; + byte b1=0,b2=0,b3=0, b4=0, marker0=0, marker1=0; + + // Throw away anything not in base64Data + + int encodedIndex = 0; + int dataIndex = start; + byte[] decodedData = null; + + { + // this sizes the output array properly - rlw + int lastData = end - start; + // ignore the '=' padding + while (base64Data[start+lastData-1] == PAD) + { + if (--lastData == 0) + { + return; + } + } + decodedDataBC.allocate(lastData - numberQuadruple, -1); + decodedDataBC.setEnd(lastData - numberQuadruple); + decodedData = decodedDataBC.getBuffer(); + } + + for (int i = 0; i < numberQuadruple; i++) + { + dataIndex = start + i * 4; + marker0 = base64Data[dataIndex + 2]; + marker1 = base64Data[dataIndex + 3]; + + b1 = base64Alphabet[base64Data[dataIndex]]; + b2 = base64Alphabet[base64Data[dataIndex +1]]; + + if (marker0 != PAD && marker1 != PAD) + { + //No PAD e.g 3cQl + b3 = base64Alphabet[ marker0 ]; + b4 = base64Alphabet[ marker1 ]; + + decodedData[encodedIndex] = (byte) (( b1 <<2 | b2>>4 ) & 0xff); + decodedData[encodedIndex + 1] = + (byte) ((((b2 & 0xf)<<4 ) |( (b3>>2) & 0xf) ) & 0xff); + decodedData[encodedIndex + 2] = (byte) (( b3<<6 | b4 ) & 0xff); + } + else if (marker0 == PAD) + { + //Two PAD e.g. 3c[Pad][Pad] + decodedData[encodedIndex] = (byte) (( b1 <<2 | b2>>4 ) & 0xff); + } + else if (marker1 == PAD) + { + //One PAD e.g. 3cQ[Pad] + b3 = base64Alphabet[ marker0 ]; + + decodedData[encodedIndex] = (byte) (( b1 <<2 | b2>>4 ) & 0xff); + decodedData[encodedIndex + 1] = + (byte) ((((b2 & 0xf)<<4 ) |( (b3>>2) & 0xf) ) & 0xff); + } + encodedIndex += 3; + } + } + + } diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml index 38d0dc6cf..249bd30aa 100644 --- a/webapps/docs/config/valve.xml +++ b/webapps/docs/config/valve.xml @@ -799,6 +799,115 @@ +
+ + + +

The SPNEGO Authenticator Valve is automatically added to + any Context that is configured to use SPNEGO + authentication.

+ +

If any non-default settings are required, the valve may be configured + within Context element with the required + values.

+ + + + + +

The SPNEGO Authenticator Valve supports the following + configuration attributes:

+ + + + +

Should we cache authenticated Principals if the request is part of an + HTTP session? If not specified, the default value of true + will be used.

+ + + +

Java class name of the implementation to use. This MUST be set to + org.apache.catalina.authenticator.SpnegoAuthenticator. +

+ + + +

Controls if the session ID is changed if a session exists at the + point where users are authenticated. This is to prevent session fixation + attacks. If not set, the default value of true will be + used.

+ + + +

Controls the caching of pages that are protected by security + constraints. Setting this to false may help work around + caching issues in some browsers but will also cause secured pages to be + cached by proxies which will almost certainly be a security issue. + securePagesWithPragma offers an alternative, secure, + workaround for browser caching issues. If not set, the default value of + true will be used.

+ + + +

Controls the caching of pages that are protected by security + constraints. Setting this to false may help work around + caching issues in some browsers by using + Cache-Control: private rather than the default of + Pragma: No-cache and Cache-control: No-cache. + If not set, the default value of true will be used.

+ + + +

Name of the algorithm to use to create the + java.security.SecureRandom instances that generate session + IDs. If an invalid algorithm and/or provider is specified, the platform + default provider and the default algorithm will be used. If not + specified, the default algorithm of SHA1PRNG will be used. If the + default algorithm is not supported, the platform default will be used. + To specify that the platform default should be used, do not set the + secureRandomProvider attribute and set this attribute to the empty + string.

+ + + +

Name of the Java class that extends + java.security.SecureRandom to use to generate SSO session + IDs. If not specified, the default value is + java.security.SecureRandom.

+ + + +

Name of the provider to use to create the + java.security.SecureRandom instances that generate SSO + session IDs. If an invalid algorithm and/or provider is specified, the + platform default provider and the default algorithm will be used. If not + specified, the platform default provider will be used.

+ + + +

Name of the Kerberos keytab file that contains the private key for + the service principal. The name of the service principal must match the + spn attribute. Relative file names are relative to + $CATALINA_BASE. If not specified, the default value of + conf/tomcat.keytab is used.

+ + + +

Service Principal Name (SPN) for this server. It must match the SPN + associated with the key in the serviceKetTab file. If not specified, the + default value of HTTP/<hostname> where + <hostname> is obtained using + InetAddress.getLocalHost().getCanonicalHostName().

+ + + + + + +
+ +
diff --git a/webapps/docs/windows-auth-howto.xml b/webapps/docs/windows-auth-howto.xml index 556ba90e1..b2728a86e 100644 --- a/webapps/docs/windows-auth-howto.xml +++ b/webapps/docs/windows-auth-howto.xml @@ -52,7 +52,8 @@ sections.

This is a work in progress. This warning should be removed once the -end-to-end testing is complete

+various questions and TODOs (see the Javadoc and implementation class) have been +resolved.

There are four components to the configuration of the built-in Tomcat support for Windows authentication. The domain controller, the server hosting Tomcat, the web application wishing to use Windows authentication and the client @@ -60,8 +61,8 @@ machine. The following sections describe the configuration required for each component.

The names of the three machines used in the configuration examples below are win-dc01.dev.local (the domain controller), win-tc01.dev.local (the Tomcat -instance) and win-pc01.dev.local (client). The Tomcat server and the client are -both members of the domain.

+instance) and win-pc01.dev.local (client). All are members of the DEV.LOCAL +domain.

Note: In order to use the passwords in the steps below, the domain password policy had to be relaxed. This is not recommended for production environments.

@@ -86,9 +87,9 @@ policy had to be relaxed. This is not recommended for production environments. itself to the domain controller. This file contains the Tomcat private key for the service provider account and should be protected accordingly. To generate the file, run the following command (all on a single line): - ktpass /out c:\tc01.keytab /mapuser tc01@DEV.LOCAL + ktpass /out c:\tomcat.keytab /mapuser tc01@DEV.LOCAL /princ HTTP/win-tc01.dev.local@DEV.LOCAL - +andPass /kvno 0 + /pass tc01pass /kvno 0
  • Create a domain user to be used on the client. In this how-to the domain user is test with a password of testpass.
    • @@ -100,15 +101,69 @@ policy had to be relaxed. This is not recommended for production environments. -

    TBD

    +

    These steps assume that Tomcat and a Java 6 JDK/JRE have already been + installed and configured and that Tomcat is running as the tc01@DEV.LOCAL + user. The steps to configure the Tomcat instance for Windows authentication + are as follows: +

  • Copy the tomcat.keytab file created on the domain controller + to $CATALINA_BASE/conf.
    • +
  • Create the kerberos configuration file + C:\Windows\krb5.ini. The file used in this how-to + contained:[libdefaults] +default_realm = DEV.LOCAL +default_keytab_name = FILE:c:\apache-tomcat-7.0.x\conf\tomcat.keytab +default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 +default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 +forwardable=true + +[realms] +DEV.LOCAL = { + kdc = win-dc01.dev.local:88 +} + +[domain_realm] +dev.local= DEV.LOCAL +.dev.local= DEV.LOCAL
    • +

    +

    The above steps have been tested on a Tomcat server running Windows Server + 2008 R2 64-bit Standard with an Oracle 1.6.0_24 64-bit JDK.

     - -

    TBD

    + +

    The web application needs to be configured to the use Tomcat specific + authentication method of SPNEGO (rather than BASIC etc.) in + web.xml. As with the other authenticators, behaviour can be customised by + explicitly configuring the + authentication valve and setting attributes on the Valve.

     -

    TBD

    +

    The client must be configured to use Kerberos authentication. For Internet + Explorer this means making sure that the Tomcat instance is in the "Local + intranet" security domain and that it is configured (Tools > Internet + Options > Advanced) with integrated Windows authentication enabled. Note that + this will not work if you use the same machine for the client + and the Tomcat instance as Internet Explorer will use the unsupported NTLM + protocol.

    +     + + +

    Correctly configuring Kerberos authentication can be tricky. The following + references may prove helpful. Advice is also always available from the + Tomcat users + mailing list. +

      +
    1. + IIS and Kerberos
      2. +
    2. + Spring Security Kerberos extension
      3. +
    3. + Geronimo configuration for Windows authentication
      4. +
    4. + Encryption Selection in Kerberos Exchanges
      5. +
    5. Supported Kerberos Cipher + Suites
      6. +