Presentation is loading. Please wait.

Presentation is loading. Please wait.

JAAS AuthN Tokens in uPortal and Beyond or The JAAS Singer.

Similar presentations

Presentation on theme: "JAAS AuthN Tokens in uPortal and Beyond or The JAAS Singer."— Presentation transcript:

1 JAAS AuthN Tokens in uPortal and Beyond or The JAAS Singer

2 Our Environment 3 Campuses / 2 Environments Tomcat 6.0.20 uPortal 3.1.1 Active Directory Kerberos authentication via JAAS

3 Why Active Directory? AD offers authentication and group management Many campus services use it for authentication Kerberos implementation is widely used

4 Why JAAS? Already part of Java Kerberos implementation is solid Works with our AD/Kerberos uPortal has some JAAS support

5 EWS / uPortal Exchange Web Services (EWS) is a SOAP interface to Microsoft Exchange. We were tasked with building a portlet to retrieve a summary of Email and Calendar items. Each item should be a link that takes the user directly to its detailed view in Outlook Web Access.

6 Parameters Utilize existing infrastructure. Secure and easily managed Authentication.

7 #1 Utilize Existing Infrastructure Both EWS and our uPortal instance authenticates against the AD. EWS has a SOAP interface, Java supports SOAP web services via JAX-WS. Some work was already started via imap2exchange. – Helped w/ JAX-WS bindings – Utilizes BASIC authentication

8 #2 Secure, Easily Managed AuthN BASIC authN Admin user on Exchange server Secret keys between the portal and EWS server Kerberos tickets?

9 Kerberos Tickets and SPNego! Krb tickets are generated by Active Directory Opaque and unique SPNego (Simple and Protected GSSAPI NEGOtiation mechanism) – Krb over HTTP – Built in to EWS DNA – Supported by all major browsers

10 uPortal and SPNego via JAAS/GSSAPI OOB JAASSecurityContext – allows authN via JAAS – does not hold on to the Kerberos ticket Thanks to uPortal being open source – saw why it wasnt – more importantly, showed what had to happen to make it hold on to it Implemented our own JAASSecurityContext

11 uPortal and SPNego via JAAS/GSSAPI Portlets need to be able to access this attribute – use the portlet API (PortletRequest.getAttribute) – developed our own RequestAttributeService and used the portlet container spring context file to inject it into uPortal! Now, IPerson attributes are available to portlets without needing any additional API.

12 Using the Kerberos Ticket Still faced a couple of challenges – Generate a SPNego token – put it on the HTTP header of the SOAP request the right way

13 Enter JAASmine JAASmine was built out of frustration – there are FEW good resources on GSSAPI/SPNego usage in Java – API is under-documented and tutorials are too basic – JAASmine takes what we learned and makes it easy

14 JAASmine Lightweight wrapper for JAAS/GSSAPI Client code for web services that want to authenticate using SPNego tokens Server code for handling verification and validation of SPNego tokens

15 Success!

16 JAASmine and EWS authN From our portlet, we could get the kerberos ticket Pass it to the JAASmine client to generate SPNego Next, put it on the header of the HTTP SOAP request ( WWW-Authenticate )

17 Beyond uPortal JAASmine server components are used for authenticating to our Kuali Rice instances (both the web app and soon the SOAP services) set up is low impact – configure JAAS – configure Kerberos – configure a servlet filter

18 Beyond uPortal More web services Kerberos/Browser to server? Its possible (and ideal)…

19 References SPNego - GSSAPI - JAASmine - imap2exchange -

20 Thank You! Tim Carroll Andy Gherna

Download ppt "JAAS AuthN Tokens in uPortal and Beyond or The JAAS Singer."

Similar presentations

Ads by Google