There are quite a lot of moving parts involved in using SPNEGO. Kerberos is fairly difficult to work with.
The following order is suggested:
- Ensure you have a working Kerberos environment.
- It is suggested that you test your Kerberos environment, including your service keytab, with mod_auth_kerb in Apache server before attemtping Glassfish
- Ensure your browser is configured to use SPNEGO. See the Browser Configuration chapter. for more information.
- It is recommended, but not required, that you checkout the project (you need a java.net account for this), and build it. The build includes integration tests which will verify Kerberos, Spnego, your Glassfish version and your Java version. If any integration tests fail it points you to the specific problem in your configuration. See the Building From Source chapter.
- To configure your own application domain.xml, follow the instructions in the Configuring A Glassfish Domain for SPNEGO chapter. This uses the ExampleSpnegoServerAuthModule, which is shipped in the jar. It has a hardcoded set of groups for any java.security.Principal.
- To be useful, you need to extend the net.java.spnego.SpnegoServerAuthModule to define how you will assign groups to your own java.security.Principal. This is so that the princiapl can be authorised.
- Package the spnego jar and commons-codec jar in your web app. Spnego is distributed as a tar ball and also via maven. See the Browser Configuration chapter. for more information.
- Deploy and test with a browser.