Presentation on theme: "JAAS AuthN Tokens in uPortal and Beyond or The JAAS Singer."— Presentation transcript:
JAAS AuthN Tokens in uPortal and Beyond or The JAAS Singer
Our Environment 3 Campuses / 2 Environments Tomcat uPortal Active Directory Kerberos authentication via JAAS
Why Active Directory? AD offers authentication and group management Many campus services use it for authentication Kerberos implementation is widely used
Why JAAS? Already part of Java Kerberos implementation is solid Works with our AD/Kerberos uPortal has some JAAS support
EWS / uPortal Exchange Web Services (EWS) is a SOAP interface to Microsoft Exchange. We were tasked with building a portlet to retrieve a summary of and Calendar items. Each item should be a link that takes the user directly to its detailed view in Outlook Web Access.
Parameters Utilize existing infrastructure. Secure and easily managed Authentication.
#1 Utilize Existing Infrastructure Both EWS and our uPortal instance authenticates against the AD. EWS has a SOAP interface, Java supports SOAP web services via JAX-WS. Some work was already started via imap2exchange. – Helped w/ JAX-WS bindings – Utilizes BASIC authentication
#2 Secure, Easily Managed AuthN BASIC authN Admin user on Exchange server Secret keys between the portal and EWS server Kerberos tickets?
Kerberos Tickets and SPNego! Krb tickets are generated by Active Directory Opaque and unique SPNego (Simple and Protected GSSAPI NEGOtiation mechanism) – Krb over HTTP – Built in to EWS DNA – Supported by all major browsers
uPortal and SPNego via JAAS/GSSAPI OOB JAASSecurityContext – allows authN via JAAS – does not hold on to the Kerberos ticket Thanks to uPortal being open source – saw why it wasnt – more importantly, showed what had to happen to make it hold on to it Implemented our own JAASSecurityContext
uPortal and SPNego via JAAS/GSSAPI Portlets need to be able to access this attribute – use the portlet API (PortletRequest.getAttribute) – developed our own RequestAttributeService and used the portlet container spring context file to inject it into uPortal! Now, IPerson attributes are available to portlets without needing any additional API.
Using the Kerberos Ticket Still faced a couple of challenges – Generate a SPNego token – put it on the HTTP header of the SOAP request the right way
Enter JAASmine JAASmine was built out of frustration – there are FEW good resources on GSSAPI/SPNego usage in Java – API is under-documented and tutorials are too basic – JAASmine takes what we learned and makes it easy
JAASmine Lightweight wrapper for JAAS/GSSAPI Client code for web services that want to authenticate using SPNego tokens Server code for handling verification and validation of SPNego tokens
JAASmine and EWS authN From our portlet, we could get the kerberos ticket Pass it to the JAASmine client to generate SPNego Next, put it on the header of the HTTP SOAP request ( WWW-Authenticate )
Beyond uPortal JAASmine server components are used for authenticating to our Kuali Rice instances (both the web app and soon the SOAP services) set up is low impact – configure JAAS – configure Kerberos – configure a servlet filter
Beyond uPortal More web services Kerberos/Browser to server? Its possible (and ideal)…