Professional Documents
Culture Documents
Version 2.0
Introduction
Tomcat, like other application servers, has a pluggable security interface. It's
possible for a developer to replace and add new authentication mechanisms.
The security interface is roughly split into two plugin types: Authenticators and
Realms.
The PAC contains group membership definitions in two ways: one containing
RID’s (relative identifiers to the authenticated domain) and one containing the
SID’s.
The RID’s will only be populated if the authenticated user has relation to the
logon domain only. If a user is member of groups defined in other domains as the
logon domain, the PAC objectSid’s will contain the list of groups.
The RID’s are only unique from within the domain. When multiple domains are
setup in a trust relation, the PAC specifies which domain a group belongs to.
The mapping file contains domain information, which is used when the PAC only
contains RID’s. The group objectSid’s is then constructed from the domain
objectSid and the group RID’s.
The SPNEGOAuthenticator decodes the PAC and computes the group membership
objectSid’s which are then mapped to a logical j2ee security role. The j2ee
security role can be anything but must match the security roles defined in the
Tomcat web application deployment descriptor.
The sample application has one protected URL defined in the deployment
descriptor:
<security-constraint>
<web-resource-collection>
<web-resource-name>
Restricted Area
</web-resource-name>
<url-pattern>/spnegoauthplugin</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>spnegousers@TEST.NET</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>spnegousers@TEST.NET</description>
<role-name>spnegousers@TEST.NET</role-name>
</security-role>
objectSid.S-15-72FBE2E6-814C1995-C64F68B9-45D=spnegousers@TEST.NET
<Engine …>
<Host …>
<Context
path="/spnegosample"
docBase="spnegosample.war"
debug="99">
<Valve className="dk.itp.tomcat.SPNEGOAuthenticator"
basicAuth=”false”
debug="99"/>
</Context>
</Host>
</Engine>
The SPNEGOJNDIRealm is based on the Apache.org version, and uses the exact
same configuration parameters.
An example:
<Engine …>
<Realm className="dk.itp.tomcat.SPNEGOJNDIRealm"
debug="99"
connectionName="cn=Administrator,cn=users,dc=test,dc=net"
connectionPassword="password"
connectionURL="ldap://192.168.202.2:3268"
userBase="DC=TEST,DC=NET"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="DC=TEST,DC=NET"
roleName="objectSid"
roleSearch="(member={0})"
roleSubtree="true"
userSubtree="true" />
</Engine>
The sample web application contains a URL that shows the PAC and Kerberos
content of the SPNEGO encoded Kerberos ticket.
primaryGroupRid=513
logonDomain=TEST
userName=test
useridRid=1108
objectSids=[S-15-72fbe2e6-
814c1995-c64f68b9-45d, S-15-
((SpnegoPrincipal)req.getUserPrincipal()).g 72fbe2e6-814c1995-c64f68b9-200,
etPacLogonInfo() S-15-72fbe2e6-814c1995-
c64f68b9-202, S-15-72fbe2e6-
814c1995-c64f68b9-201, S-15-
72fbe2e6-814c1995-c64f68b9-461]
logonSrv=SPNEGO
fullName=test testesen
logonDomainSid=S-15-72fbe2e6-
814c1995-c64f68b9
[S-15-72fbe2e6-814c1995-
c64f68b9-45d, S-15-72fbe2e6-
814c1995-c64f68b9-200, S-15-
j2ee roles 72fbe2e6-814c1995-c64f68b9-202,
S-15-72fbe2e6-814c1995-c64f68b9-
201, S-15-72fbe2e6-814c1995-
c64f68b9-461]
getRemoteUser test@TEST.NET
isUserInRole('spnegousers') false
isUserInRole('spnegousers@TEST') false
The last section, the User PAC info, shows the objectSid’s including the predefined
RID’s. This section can be cut-pasted into the pac-j2ee.properties file.
The pac-j2ee.properties can be corrected to map the real group name in Active
Directory.
The URL /spnegopacservletfilter can be run for each multiple users and the output
can be merged into the pac-j2ee.properties mapping file.
Active Directory can be accessed using an LDAP browser. Microsoft has one
included in their resource kit called LDP. This can be downloaded free-of-charge.
Looking at the attribute objectSid we see that the highlighted RID 45D is mapped
to the spnegousers group. This information can be used to replace the
RID.45d@TEST entry in the pac-j2ee.properties with the entry
spnegousers@TEST value.
Testing
Note that the user is member of the spnegousers@TEST group. This is only
possible when using the SPNEGOAuthenticator plugin.
When using the Servlet Filter, the method isUserInRole() will always return false,
since the user never logins in to the Tomcat security manager.
Conclusion
References
[3] PAC (Privilege Access Certificate) in a Java Web Server World, 2005, Friis,
http://appliedcrypto.com/spnego/ms_kerberos.html
He has designed and developed the initial version of OpenSign and OpenLogon, a
set of applets that supports digital signature using X.509 certificates over the
XMLDSIG standard. The result was donated to the open source OpenOCES
project.
All software parts of the SPNEGO/Kerberos product are copyright IT Practice A/S
or their respective parties.
When using the SPNEGOJNDIRealm for Tomcat, the following message must be
noted, according to license terms: This product includes software developed by
the Apache Software Foundation (http://www.apache.org/)". Copyright (c) 1999-
2002 The Apache Software Foundation. All rights reserved.