In today’s rapidly evolving digital landscape, the demand for streamlined user experiences has propelled single-sign-on (SSO) to the forefront of both desktop and web-based product development. In this article, we will explore the implementation of SSO in Java platform, specifically in conjunction with an Active Directory server. Considering the widespread adoption of Microsoft Windows as a leading corporate network platform, integrating SSO with your product holds significant value. It is noteworthy that Microsoft has embraced the open-standard Kerberos protocol since the release of Windows 2000. This unexpected support for an open-standard protocol from Microsoft is a favorable development, offering numerous advantages for our implementation.
Keywords/ Jargons
Before delving into the implementation and configuration aspects, it is essential to familiarize ourselves with some common keywords and jargon associated with single-sign-on (SSO) techniques. Understanding these terms will help us navigate the technical aspects of SSO more effectively. Here are some key terms you should be aware of:
Single-Sign-On http://en.wikipedia.org/wiki/Single_sign-on
Kerberos – http://en.wikipedia.org/wiki/Kerberos_(protocol)
Active Directory – http://en.wikipedia.org/wiki/Active_Directory
SPNEGO – http://en.wikipedia.org/wiki/SPNEGO
JAAS – http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/tutorials/index.html
How does Kerberos protocol works
The Web Server has to hand-shake with browser to obtain kerberos token. The token can be validated against keytab file (http://kb.iu.edu/data/aumh.html) or connecting through Active Directory.
The below diagram explains how the handshake happens between browser and webserver to obtain kerberos token for authentication.
Environment/ Infrastructure
In this article I am going to talk about implementing Single-Sign-On in Java platform (i.e. JAAS) using Active Directory through Kerberos protocol for web-based products/applications.
I used below softwares:
JDK 1.6 – (previous version doesn’t support SPNEGO Kerberos protocol)
Windows 2003 Server with Active Directory
Windows XP with Internet Explorer 7 for client machine
Tomcat 6.0 Web Server
Required Information
The following information are required from your system administrators.
- Active Directory server ip address or hostname.
- Your complete domain name in the active directory. (Example. JAVA.SUN.COM)
Create a Server Name Alias
You have to create a server alias for WebServer to interact with ActiveDirectory for SSO token validation. Create a user called testsso and set “Password never expires” as checked. Assign a password for testsso user we will be using this password in Java coding later.
Create a Service Name
The account you created in the previous is meant to be used as an Kerberos HTTP service for the We Server. This is done in using the setspn command line tool that manages SPNs (Service Principal Name) in the Active Directory.
[More information on Setspn: http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx].
You would need to add (-a) an SPN for such an account, associating it with the fully qualified server alias name. For example:
setspn -a HTTP/java.sun.com testsso
You could see it has been successfully created listing (-l) the SPNs available for such account:
setspn -l testsso
Note: this command line utility might not be available in your OS and you should have to download it from Microsoft site.
Initial verification
You can do a basic Kerberos check using kinit tool. From one of the computers in your network that have access to the KDC (Key Distribution Center), in Windows is usually the Domain Controller, check the following using your user account (ex: testsso@JAVA.SUN.COM):
kinit testsso@JAVA.SUN.COM
If everything is ok, the command will ask you for your domain password and terminates without an error message. This command will show you the initial ticket you got from the KDC if you execute it without any argument.
Create jaas.conf file
Create a jaas.conf file and place in c:\jaas.conf location.
SSOTESTING {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=false
storeKey=true
useTicketCache=false
principal=”testsso@JAVA.SUN.COM”;
};
Download jaas.conf from here
Finally the most awaited test JSP file
Download ssotest.jsp and change the following variable values according to your configuration and environments.
ACTIVE_DIRECTORY_SERVER = “<hostname/ipaddress>”;
DEAULT_DOMAIN = “<the default domain>”;
SP_PASSWORD = “<server-principal-password>”;
The best way to implement Single-Sign-On is using servlet; for easy of testing at your environment I made it as JSP. Once you get this sample code working in your environment you can nicely integrate into your framework.
The example files are available in the below link as well:
https://github.com/venkatsalem/workspace/blob/master/ad-auth/src/main/webapp/sso.jsp
Checklist
- Make sure setspn url is uniquely associated to one active directory user.
- Internet Explorer should be able to identify your site as Intranet site. If not change the IE setting to make it as intranet site.
- Kerberos requires the clocks of the involved hosts to be synchronized.
- Always specify domain names in upper case. Example testsso@JAVA.SUN.COM
OC4J / OracleAS
OC4J will not recognize jaas.conf hence you need to update system-jazn-data.xml file for custom provider. Find more information in below link:
http://download.oracle.com/docs/cd/B31017_01/web.1013/b28957/ovsecadm.htm
References
http://web.mit.edu/Kerberos/
http://tools.ietf.org/html/rfc4559
http://msdn2.microsoft.com/en-us/library/ms995329.aspx
Updated on Nov 4, 2010
The below link contains tutorial and samples from Oracle.
http://download.oracle.com/javase/6/docs/technotes/guides/security/jgss/lab/part6.html
Venkat Sadasivam 
Leave a comment