Public Repository

Last pushed: 6 months ago
Short Description
jboss-eap
Full Description

See 'tags' - jboss-eap:6.4.0-spnego has demo application using Kerberos authentication, Kerberos and LDAP with SPNEGO. On start container launches Kerberos + LDAP with KDC on port 6088.

jboss-eap:6.4.0-spnego-dns

This image uses spnegohost domain / host name to allow connectivity from an external computer. Once container has started off this image, JBoss server started in it will start a sample application http://spnegohost:8080/spnego-demo/user/ and a krb5 client tool with a KDC pointing at spnegohost in its /etc/krb5.conf should be able to authenticate a user e.g. kinit hnelson@JBOSS.ORG with a password secret.
The instruction to run is very much the same as the one below for jboss-eap:6.4.0-spnego but krb5.conf needs to be change:

[libdefaults]
    default_realm = JBOSS.ORG
    default_tgs_enctypes = des-cbc-md5 des3-cbc-sha1-kd rc4-hmac
    default_tkt_enctypes = des-cbc-md5 des3-cbc-sha1-kd rc4-hmac
    kdc_timeout = 5000
    dns_lookup_realm = false
    dns_lookup_kdc = false
    dns_canonicalize_hostname = false
    rdns = false
    ignore_acceptor_hostname = true
    allow_weak_crypto = yes

[realms]
    JBOSS.ORG = {
        kdc = spnegohost:6088
    }

[domain_realm]
    spnegohost = JBOSS.ORG

Also run command needs to have -h spnegohost added so that spnegohost host name will be added to /etc/hosts inside the container. E.g.:
docker run -it -p 8080:8080 -p 9990:9990 -p 9999:9999 -p 6088:6088/udp -p 6088:6088 -p 8787:8787 -v /home/toks/kerberos-pack-docker/standalone-bellid-dns.xml:/home/jboss-eap-6.4/standalone/configuration/standalone.xml -h spnegohost --link db-pristine-spnego:oracle-spnego --name jboss-spnego-dns tumcyk/jboss-eap:6.4.0-spnego-dns
Default console user credentials: admin, admin123!
Also you need to add spnegohost to the localhost hosts pointing at where KDC is i.e. at the remote host IP where the container is running (container has KDC bound to remote localhost).

Test

curl -L -v --negotiate -u : http://spnegohost:8080/spnego-demo/user

jboss-eap:6.4.0-spnego

Run simple demo:

1) Prepare a client (CLI to authenticate user)

sudo apt install krb5-user or sudo yum install krb5-workstation krb5-libs krb5-auth-dialog

Set environmental variable

export KRB5_CONFIG="/home/toks/krb5.conf" containing configuration for KDC such as:

[libdefaults]
    default_realm = JBOSS.ORG
    default_tgs_enctypes = des-cbc-md5 des3-cbc-sha1-kd rc4-hmac
    default_tkt_enctypes = des-cbc-md5 des3-cbc-sha1-kd rc4-hmac
    kdc_timeout = 5000
    dns_lookup_realm = false
    dns_lookup_kdc = false
    dns_canonicalize_hostname = false
    rdns = false
    ignore_acceptor_hostname = true
    allow_weak_crypto = yes

[realms]
    JBOSS.ORG = {
        kdc = localhost:6088
    }

[domain_realm]
    localhost = JBOSS.ORG

2) Start server

Run from image

On start container launches Kerberos + LDAP with KDC on port here: localhost:6088.
docker run -it -p 8080:8080 -p 9990:9990 -p 9999:9999 -p 6088:6088/udp -p 6088:6088 -p 8787:8787 --name jboss-spnego tumcyk/jboss-eap:6.4.0-spnego
Default console user credentials: admin, admin123!

Test

curl -L -v --negotiate -u : http://localhost:8080/spnego-demo/user

Prepare browser

Firefox has an Add-On helping to: "Enable pass-through on all non-FQDN sites even if they aren't listed here"

Link with a database container:

docker run -it -p 8080:8080 -p 9990:9990 -p 9999:9999 -p 6088:6088/udp -p 6088:6088 -p 8787:8787 --link oracle-linkable:oracle-db --name jboss-spnego tumcyk/jboss-eap:6.4.0-spnego
Recommended Oracle XE image alexeiled/docker-oracle-xe-11g: docker run -it --shm-size=1g --name oracle-linkable -v /home/toks/scripts/oracle:/etc/entrypoint-initdb.d alexeiled/docker-oracle-xe-11g

Point to your specific standalone configuration:

docker run -it -p 8080:8080 -p 9990:9990 -p 9999:9999 -p 6088:6088/udp -p 6088:6088 -p 8787:8787 -v /home/toks/standalone-ds.xml:/home/jboss-eap-6.4/standalone/configuration/standalone.xml --link oracle-linkable:oracle-db --name jboss-spnego tumcyk/jboss-eap:6.4.0-spnego

Valuable resources

https://dzone.com/articles/spnego-authentication-jboss SPNego Authentication with JBoss
https://kb.iu.edu/d/aumh What is a keytab, and how do I use one?
http://blog.arungupta.me/docker-container-linking-across-multiple-hosts-techtip69 Docker container linking across multiple hosts (Arun Gupta)
http://doc.mapr.com/display/MapR/Configuring+Kerberos+Authentication+for+Windows

Docker Pull Command
Owner
tumcyk

Comments (0)