Single-Sign-On (SSO) in Java Platform using Active Directory
August 29, 2009 64 Comments
Sorry guys it been long time writing in my blog.
Nowadays single-sign-on became a hot selling feature for all desktop and web-based products. In this article I talk about single-sign-on implementation in Java platform with Active Directory server. Since Microsoft Windows has become one of the most common corporate network platforms it is worth integrating with your product. Starting from Windows 2000 Microsoft supports Kerberos protocol. It is unusal that Microsoft support open-standard protocol, but they do in this case; good for us :-)
Before jumping into implementation and configurations it is good to know some common keywords /jargons used on single-sign-on technique.
Kerberos – http://en.wikipedia.org/wiki/Kerberos_(protocol)
Active Directory – http://en.wikipedia.org/wiki/Active_Directory
SPNEGO – http://en.wikipedia.org/wiki/SPNEGO
JAAS – http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/tutorials/index.html
How does Kerberos protocol works
The Web Server has to hand-shake with browser to obtain kerberos token. The token can be validated against keytab file (http://kb.iu.edu/data/aumh.html) or connecting through Active Directory.
The below diagram explains how the handshake happens between browser and webserver to obtain kerberos token for authentication.
In this article I am going to talk about implementing Single-Sign-On in Java platform (i.e. JAAS) using Active Directory through Kerberos protocol for web-based products/applications.
I used below softwares:
JDK 1.6 – (previous version doesn’t support SPNEGO Kerberos protocol)
Windows 2003 Server with Active Directory
Windows XP with Internet Explorer 7 for client machine
Tomcat 6.0 Web Server
The following information are required from your system administrators.
- Active Directory server ip address or hostname.
- Your complete domain name in the active directory. (Example. JAVA.SUN.COM)
Create a Server Name Alias
You have to create a server alias for WebServer to interact with ActiveDirectory for SSO token validation. Create a user called testsso and set “Password never expires” as checked. Assign a password for testsso user we will be using this password in Java coding later.
Create a Service Name
The account you created in the previous is meant to be used as an Kerberos HTTP service for the We Server. This is done in using the setspn command line tool that manages SPNs (Service Principal Name) in the Active Directory.
[More information on Setspn: http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx].
You would need to add (-a) an SPN for such an account, associating it with the fully qualified server alias name. For example:
setspn -a HTTP/java.sun.com testsso
You could see it has been successfully created listing (-l) the SPNs available for such account:
setspn -l testsso
Note: this command line utility might not be available in your OS and you should have to download it from Microsoft site.
You can do a basic Kerberos check using kinit tool. From one of the computers in your network that have access to the KDC (Key Distribution Center), in Windows is usually the Domain Controller, check the following using your user account (ex: testsso@JAVA.SUN.COM):
If everything is ok, the command will ask you for your domain password and terminates without an error message. This command will show you the initial ticket you got from the KDC if you execute it without any argument.
Create jaas.conf file
Create a jaas.conf file and place in c:\jaas.conf location.
Download jaas.conf from here
Finally the most awaited test JSP file
Download ssotest.jsp and change the following variable values according to your configuration and environments.
ACTIVE_DIRECTORY_SERVER = “<hostname/ipaddress>”;
DEAULT_DOMAIN = “<the default domain>”;
SP_PASSWORD = “<server-principal-password>”;
The best way to implement Single-Sign-On is using servlet; for easy of testing at your environment I made it as JSP. Once you get this sample code working in your environment you can nicely integrate into your framework.
The example files are available in the below link as well:
- Make sure setspn url is uniquely associated to one active directory user.
- Internet Explorer should be able to identify your site as Intranet site. If not change the IE setting to make it as intranet site.
- Kerberos requires the clocks of the involved hosts to be synchronized.
- Always specify domain names in upper case. Example testsso@JAVA.SUN.COM
OC4J / OracleAS
OC4J will not recognize jaas.conf hence you need to update system-jazn-data.xml file for custom provider. Find more information in below link:
Updated on Nov 4, 2010
The below link contains tutorial and samples from Oracle.