JAAS AuthN Tokens in uPortal and Beyond or “The JAAS Singer” - aging webISO that departments were abandoning - everyone was beginning to use AD LDAP AuthN - AD used a different principal/password than the webISO -- causing issues with portal logins and portal integrations -- university slow on the uptake with an alternative CAS/Shib -- we needed something to bridge the gap -- LDAP authN against central IT policies (security of protocol) -- the kerberos protocol was the recommended way, but no one was doing it -- after a little research the challenge seemed worth undertaking

Our Environment 3 Campuses / 2 Environments Tomcat 6.0.20 uPortal 3.1.1 Active Directory Kerberos authentication via JAAS

Why Active Directory? AD offers authentication and group management Many campus services use it for authentication Kerberos implementation is widely used

Why JAAS? Already part of Java Kerberos implementation is solid Works with our AD/Kerberos uPortal has some JAAS support

EWS / uPortal Exchange Web Services (EWS) is a SOAP interface to Microsoft Exchange. We were tasked with building a portlet to retrieve a summary of Email and Calendar items. Each item should be a link that takes the user directly to it’s detailed view in Outlook Web Access.

Parameters Utilize existing infrastructure. Secure and easily managed Authentication. No admin user

#1 Utilize Existing Infrastructure Both EWS and our uPortal instance authenticates against the AD. EWS has a SOAP interface, Java supports SOAP web services via JAX-WS. Some work was already started via imap2exchange. Helped w/ JAX-WS bindings Utilizes BASIC authentication

#2 Secure, Easily Managed AuthN BASIC authN Admin user on Exchange server Secret keys between the portal and EWS server Kerberos tickets? Basic authN would require the user’s credentials to be cached (not happening) or the user to enter their AD creds into another form prior to each submission of a request for a summary (again not happening) an admin user would require it to be able to access all users’ folders which is not desirable from a security standpoint nor easy from an admin standpoint we use shared secrets for authenticating to other campus/university web ISOs but the its not easily managed since there’s a 1-1 relationship between each service/environment and the portal.

Kerberos Tickets and SPNego! Krb tickets are generated by Active Directory Opaque and unique SPNego (Simple and Protected GSSAPI NEGOtiation mechanism) Krb over HTTP Built in to EWS’ DNA Supported by all major browsers Best of all, it’s easy to manage!

uPortal and SPNego via JAAS/GSSAPI OOB JAASSecurityContext allows authN via JAAS does not hold on to the Kerberos ticket Thanks to uPortal being open source saw why it wasn’t more importantly, showed what had to happen to make it hold on to it Implemented our own JAASSecurityContext - our impl stores the JAAS Subject (the krb ticket) as an IAdditionalDescriptor in an IPerson attribute that we chose a name for. This is a key factor for later in the presentation.

uPortal and SPNego via JAAS/GSSAPI Portlets need to be able to access this attribute use the portlet API (PortletRequest.getAttribute) developed our own RequestAttributeService and used the portlet container spring context file to inject it into uPortal! Now, IPerson attributes are available to portlets without needing any additional API. All of this code was implemented using existing interfaces exposed by uPortal and Pluto. uPortal’s spring configurations allowed us to easily fit this into our implementation and give us access to this token.

Using the Kerberos Ticket Still faced a couple of challenges Generate a SPNego token put it on the HTTP header of the SOAP request the right way

EnterJAASmine JAASminewas built out of frustration there are FEW good resources on GSSAPI/SPNego usage in Java API is under-documented and tutorials are too basic JAASminetakes what we learned and makes it easy

JAASmine Lightweight “wrapper” for JAAS/GSSAPI Client code for web services that want to authenticate using SPNego tokens Server code for handling verification and validation of SPNego tokens

Success!

JAASmineand EWS authN From our portlet, we could get the kerberos ticket Pass it to theJAASmineclient to generate SPNego Next, put it on the header of the HTTP SOAP request (WWW-Authenticate)

Beyond uPortal JAASmineserver components are used for authenticating to our Kuali Rice instances (both the web app and soon the SOAP services) set up is low impact configure JAAS configure Kerberos configure a servlet filter

Beyond uPortal More web services Kerberos/Browser to server? It’s possible (and ideal)… Kerberos browser to server would enable proper click-through from items in the summary directly into Outlook Web Access (if kerberos was turned on for it) Other JAAS authentication implementations need to be added to jaasmine (LDAP, etc.).

References SPNego - http://goo.gl/ECVHs GSSAPI - http://goo.gl/XPLJF JAASmine- http://goo.gl/DM2GD imap2exchange - http://goo.gl/IkAZL

Thank You! Tim Carroll Andy Gherna