JAAS AuthN Tokens in uPortal
and Beyond
or “The JAAS Singer”
Our Environment
•
•
•
•
3 Campuses / 2 Environments
Tomcat 6.0.20
uPortal 3.1.1
Active Directory Kerberos authentication via
JAAS
Why Active Directory?
• AD offers authentication and group
management
• Many campus services use it for
authentication
• Kerberos implementation is widely used
Why JAAS?
•
•
•
•
Already part of Java
Kerberos implementation is solid
Works with our AD/Kerberos
uPortal has some JAAS support
EWS / uPortal
• Exchange Web Services (EWS) is a SOAP
interface to Microsoft Exchange.
• We were tasked with building a portlet to
retrieve a summary of Email and Calendar
items.
• Each item should be a link that takes the user
directly to it’s detailed view in Outlook Web
Access.
Parameters
• Utilize existing infrastructure.
• Secure and easily managed Authentication.
#1 Utilize Existing Infrastructure
• Both EWS and our uPortal instance
authenticates against the AD.
• EWS has a SOAP interface, Java supports SOAP
web services via JAX-WS.
• Some work was already started via
imap2exchange.
– Helped w/ JAX-WS bindings
– Utilizes BASIC authentication
#2 Secure, Easily Managed AuthN
• BASIC authN
• Admin user on Exchange server
• Secret keys between the portal and EWS
server
• Kerberos tickets?
Kerberos Tickets and SPNego!
• Krb tickets are generated by Active Directory
• Opaque and unique
• SPNego (Simple and Protected GSSAPI
NEGOtiation mechanism)
– Krb over HTTP
– Built in to EWS’ DNA
– Supported by all major browsers
uPortal and SPNego via JAAS/GSSAPI
• OOB JAASSecurityContext
– allows authN via JAAS
– does not hold on to the Kerberos ticket
• Thanks to uPortal being open source
– saw why it wasn’t
– more importantly, showed what had to happen to
make it hold on to it
• Implemented our own JAASSecurityContext
uPortal and SPNego via JAAS/GSSAPI
• Portlets need to be able to access this
attribute
– use the portlet API (PortletRequest.getAttribute)
– developed our own RequestAttributeService and
used the portlet container spring context file to
inject it into uPortal!
• Now, IPerson attributes are available to
portlets without needing any additional API.
Using the Kerberos Ticket
• Still faced a couple of challenges
– Generate a SPNego token
– put it on the HTTP header of the SOAP request the
right way
Enter JAASmine
• JAASmine was built out of frustration
– there are FEW good resources on GSSAPI/SPNego
usage in Java
– API is under-documented and tutorials are too
basic
– JAASmine takes what we learned and makes it
easy
JAASmine
• Lightweight “wrapper” for JAAS/GSSAPI
• Client code for web services that want to
authenticate using SPNego tokens
• Server code for handling verification and
validation of SPNego tokens
Success!
JAASmine and EWS authN
• From our portlet, we could get the kerberos
ticket
• Pass it to the JAASmine client to generate
SPNego
• Next, put it on the header of the HTTP SOAP
request (WWW-Authenticate)
Beyond uPortal
• JAASmine server components are used for
authenticating to our Kuali Rice instances
(both the web app and soon the SOAP
services)
• set up is low impact
– configure JAAS
– configure Kerberos
– configure a servlet filter
Beyond uPortal
• More web services
• Kerberos/Browser to server? It’s possible (and
ideal)…
References
•
•
•
•
SPNego - http://goo.gl/ECVHs
GSSAPI - http://goo.gl/XPLJF
JAASmine - http://goo.gl/DM2GD
imap2exchange - http://goo.gl/IkAZL
Thank You!
• Tim Carroll
• Andy Gherna