Setting up Acegi, CAS, Kerberos/SPNEGO and Websphere 6.1 Part ONE

This article assumes a basic understanding of Acegi Security System for Spring, Central Authentication Service (CAS), Kerberos/SPNEGO and Websphere Application Server 6.1. Acegi was used for the authorization of users and access to protected pages, and CAS was used for authorization of users using a transparent / non-interactive login using Kerberos and SPNEGO.

For more information on any of these products, please see:

• Acegi Security System for Spring
• Central Authentication Service by JA-SIG
• Single Sign-On Using Kerberos in Java (by Sun)
• Simplify Enterprise Java Authentication with Single Sign-On (by Sun)

Websphere Application Server does come with a Single Sign-on package, but it was decided not to use this for several reasons:

1. While WAS will use Kerberos and some Websphere setup is required, a full Websphere implementation would have required more use of proprietary IBM code than was necessary.
2. CAS will handle requests and allow set up with very few code changes. In addition, Acegi contains plugins for CAS, and it was relatively easy to get the two to work together (adding Websphere into the mix was the true difficulty).
3. Developers will be using an Eclipse/Tomcat combination for development, and therefore will not be able to use proprietary Websphere code.
4. Documentation for Websphere’s proprietary code was lacking.

This project was to replace a jCifs/Acegi security implementation, so the Acegi part of the application was already written and did not require a great deal of configuration. This document is meant to explain the steps that were taken to set up the infrastructure.

Step One: Install CAS – Tomcat

CAS Server 3.1.1 was used and installed on Tomcat. CAS can be downloaded from the CAS Download Page. The basic setup was used, which allowed users on Tomcat to authenticate on the login page as long as the username matched the password that was entered.

Gotchas:

• SSL had to be enabled on Tomcat. There are many guides for how to do this (including some guides created by CAS users), but by far the best and most easy to follow was the SSL How-To Located on Apache’s Website.

Step Two: Integrate Acegi with CAS on Tomcat

Step-by-step documentation for how to install Acegi in your app and use it with CAS can be found in the Acegi help guide. There are instructions for setting up Acegi with CAS using both CAS version 2 and CAS Version 3, but if Kerberos / SPNEGO is going to be used, it is best to go with CAS Version 3. The easiest setup is to use contacts-cas.war as an example. This can be found in older versions of Acegi, but cannot be found in the current version of Acegi. At this point, you should be able to log into CAS using the userid=password list that was standard in the InMemoryDaoImpl found in the help guide.

Gotchas:

• Not being very familiar with Spring, I had difficulty getting the application to start after my initial setup. My application-context was setup improperly, causing the startup to fail. Check your application-context carefully before deployment.
• SSL MUST be used at this point.

Step Three: Setup Kerberos / SPNEGO on Websphere 6.1

The best documentation for setting up Kerberos/SPNEGO on Websphere can be found in the Techdoc by IBM: Websphere with SPNEGO: Configuring SPNEGO in Websphere Environments. Following the instructions in this document will completely set up the security that is necessary on the Websphere side. At this point, if you are brave enough to integrate Acegi directly with WAS, you can do so.

Gotchas:

• The way the document is worded and set up, it will turn on Java 2 security in Websphere. If this is desired, great. If not, many applications may not run. There are two options here: 1) Add .policy files to specify what applications have the rights to do what (you can do this using the was.policy found in ${WAS_HOME}/profiles/default/properties or in the java.policy file found at ${WAS_HOME}/java/jre/lib/security). 2) Uncheck the checkbox labeled “Use Java 2 security to restrict application access to local resources” box found in the admin console under Security -> Secure administration, applications, and infrastructure. This is the easisest way and is recommended if this type of security is not a concern. Of course, it will allow your applications to run wild, accessing all kinds of resources and wreaking havoc all over the place. If you are interested instead in editing policy files, documentation is hard to find, but some documentation can be found on Sun’s Website.
• The client’s browser requires setup in order to send the Kerberos token through in the header. Information for doing this can be found in the Techdoc listed above, but can also be found elsewhere on the web.

to be continued... Continue to Part Two

CAS: My newest project...

Central Authentication Service
This is what I'm working on. I used to work with Siteminder, now it's CAS. Interesting stuff...

Help! Windows People...

I'm on a windows server. I have 3 environment variables -

ANT_HOME
JINTEGRA_HOME
Path

Path includes references to ANT_HOME and JINTEGRA_HOME, as well as other variables like JAVA_HOME. When I open a command prompt, all of the paths (including those referencing JAVA_HOME) resolve, but the ANT_HOME and JINTEGRA_HOME variables do not. If I go to the environment variable window, open the Path variable as if I'm going to edit it, but then don't edit it, and close it again and then close and reopen my command prompt, echo %Path% shows the correct path with ANT_HOME and JINTEGRA_HOME resolved.

Know what I mean? Does this make sense? In other words, ANT_HOME and JINTEGRA_HOME are never properly added to my path unless I edit the environment variable before opening a command line. If I don't edit the environment variable first, I get something like:

> echo %Path%
c:\blah\bin;c:\program files\programiinstalled\bin;%ANT_HOME%\bin;%JINTEGRA_HOME%\bin

See?

It really sucks. I've tried googling it. I've tried ripping the path apart, but if you are familiar with windows you know there's a LOT of things in that variable.

This article is exactly what I'm experiencing, except that his solution isn't going to work for me because this is on a server and I just can't have this going on.

Has anyone ever seen this before?

Websphere Funny of the Day

From IBM Websphere: Deployment and Advanced Configuration: "If you don't have an understanding of core network commands, be resourceful. Use people skills to get assistance from someone who does, or simply use the popular internet search utilities to gain a better understanding of the topic."

Something cracks me up about a vendors book recommending that you "use people skills" or simply use Google to solve your problem. Or, maybe I'm just punchy because I've been doing this all day.

Warning: Java/CVS/CruiseControl/Ant

For those that don't want to spend 3 hours trying to figure this out like I just did...

This proves that the Ant documentation is better than the CVS documentation, CVSNT documentation and the CruiseControl documentation.

If you are setting up CruiseControl on a PC other than the same PC/Server where your CVS repository is located, you need to have CVS.exe in your path. I didn't have CVS.exe on my PC at all, so even though I was successfully connecting to the CVS repository, the CVSLog command wasn't working. What this meant is that CruiseControl was doing the build as usual, but it was NOT getting changes from CVS, since without a CVSLog, it didn't know what was going on on the server. After fiddling with just about everything, I finally tried to set up an Ant task to get the CVSLog and the ANT documentation finally explained that I need CVS.exe in the path to get this command to work. Thank you, Ant team!! Everyone else sucks.

I do love opensource, though.