Java tips and tricks from a lady trying to play with the boys...

Friday, March 28, 2008

Setting up Acegi, CAS, Kerberos/SPNEGO and Websphere 6.1 Part ONE

This article assumes a basic understanding of Acegi Security System for Spring, Central Authentication Service (CAS), Kerberos/SPNEGO and Websphere Application Server 6.1. Acegi was used for the authorization of users and access to protected pages, and CAS was used for authorization of users using a transparent / non-interactive login using Kerberos and SPNEGO.

For more information on any of these products, please see:

Websphere Application Server does come with a Single Sign-on package, but it was decided not to use this for several reasons:

    1. While WAS will use Kerberos and some Websphere setup is required, a full Websphere implementation would have required more use of proprietary IBM code than was necessary.
    2. CAS will handle requests and allow set up with very few code changes. In addition, Acegi contains plugins for CAS, and it was relatively easy to get the two to work together (adding Websphere into the mix was the true difficulty).
    3. Developers will be using an Eclipse/Tomcat combination for development, and therefore will not be able to use proprietary Websphere code.
    4. Documentation for Websphere’s proprietary code was lacking.

This project was to replace a jCifs/Acegi security implementation, so the Acegi part of the application was already written and did not require a great deal of configuration. This document is meant to explain the steps that were taken to set up the infrastructure.

Step One: Install CAS – Tomcat

CAS Server 3.1.1 was used and installed on Tomcat. CAS can be downloaded from the CAS Download Page. The basic setup was used, which allowed users on Tomcat to authenticate on the login page as long as the username matched the password that was entered.

Gotchas:

  • SSL had to be enabled on Tomcat. There are many guides for how to do this (including some guides created by CAS users), but by far the best and most easy to follow was the SSL How-To Located on Apache’s Website.

Step Two: Integrate Acegi with CAS on Tomcat

Step-by-step documentation for how to install Acegi in your app and use it with CAS can be found in the Acegi help guide. There are instructions for setting up Acegi with CAS using both CAS version 2 and CAS Version 3, but if Kerberos / SPNEGO is going to be used, it is best to go with CAS Version 3. The easiest setup is to use contacts-cas.war as an example. This can be found in older versions of Acegi, but cannot be found in the current version of Acegi. At this point, you should be able to log into CAS using the userid=password list that was standard in the InMemoryDaoImpl found in the help guide.

Gotchas:

  • Not being very familiar with Spring, I had difficulty getting the application to start after my initial setup. My application-context was setup improperly, causing the startup to fail. Check your application-context carefully before deployment.
  • SSL MUST be used at this point.

Step Three: Setup Kerberos / SPNEGO on Websphere 6.1

The best documentation for setting up Kerberos/SPNEGO on Websphere can be found in the Techdoc by IBM: Websphere with SPNEGO: Configuring SPNEGO in Websphere Environments. Following the instructions in this document will completely set up the security that is necessary on the Websphere side. At this point, if you are brave enough to integrate Acegi directly with WAS, you can do so.

Gotchas:

  • The way the document is worded and set up, it will turn on Java 2 security in Websphere. If this is desired, great. If not, many applications may not run. There are two options here: 1) Add .policy files to specify what applications have the rights to do what (you can do this using the was.policy found in ${WAS_HOME}/profiles/default/properties or in the java.policy file found at ${WAS_HOME}/java/jre/lib/security). 2) Uncheck the checkbox labeled “Use Java 2 security to restrict application access to local resources” box found in the admin console under Security -> Secure administration, applications, and infrastructure. This is the easisest way and is recommended if this type of security is not a concern. Of course, it will allow your applications to run wild, accessing all kinds of resources and wreaking havoc all over the place. If you are interested instead in editing policy files, documentation is hard to find, but some documentation can be found on Sun’s Website.
  • The client’s browser requires setup in order to send the Kerberos token through in the header. Information for doing this can be found in the Techdoc listed above, but can also be found elsewhere on the web.
to be continued... Continue to Part Two

No comments: