Liking the new priority inbox feature of #gmail (my latest tweet, posted )
eclipse.ini & sts.ini -vm option
(18 Aug 2010)
- tagged as
springsource tool suite,
eclipse,
dev
note to self when configuring the “-vm” option in eclipse.ini or sts.ini: place the path to your jdk on a new line i.e.
-vm c:\dev\java\jdk1.6.0\binalso to see what configuration options stuck, go to menu item:
Help > About Eclipse Platform > Installation Details
Loading...
skipping class whilst loading grails application
(23 Jul 2010)
- tagged as
grails,
dev
ready or not, i imagine a few of my next posts will be rather geek inclined. more specifically, grails inclined. i'll be mentioning a few things that have helped me over the last few weeks, or explain how i resolved a few hangups.
here's the first one :
commons.DefaultGrailsApplication The class [<ClassName>] was not found when attempting
to load Grails application. Skipping.
the message shows up in the logs when starting the application with run-app. there are no other exceptions nor errors and the application seems to startup successfully. until you try to access the log mentioned class. in my case it was a controller and because it was skipped at startup i get a big old fat 404 when trying to access it.
the cause was that for some reason the package declaration within my controller went missing. strangely there were no compilation exceptions either. after re-adding my package declaration, all was fine. the same applies for incorrectly defined package declarations.
SSO with JBoss, Active Directory, Kerberos and SPNEGO
(30 Jun 2010)
- tagged as
dev
this article is an ammendment to the jboss negotiation project documentation and a jboss community thread. the reason for this article, is that at times i felt that the documentation was ambigiuos and on occasion also lacking some important information. so here's my take on it, which made SSO work for me...after copious hours of elbow grease i might add.
•As an example, you may want to access an SSO enabled jboss server as follows: http://jbossserver.six.com. For the purpose of the documentation to come, 'jbossserver' is referring to the machine name, 'six' is referring to the domain and 'six.com' is referring to the realm.
•Download the “JBoss Negotiation Project” (JBossNegotiation - 2.0.3.GA)
•Unpack and copy jboss-negotiation-2.0.3.GA.jar to: ${JBOSS_HOME}/server/${server_config}/lib
•Add an entry to ${JBOSS_HOME}/server/${server_config}/deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml.
Within this descriptor you should see a set of authenticators defined using a property called "authenticators". Add the following entry:
b) Password never expires (true/checked)
c) Use DES encryption types for this account (false/unchecked)
d) Do not require Kerberos preauthentication (true/checked) Note: It is very important to remember that this account should under no circumstances be used as a regular user account. Activities such as logging into the domain on any given Windows machine as jbossuser should not be done. •The jbossuser Active Directory user account needs to be mapped to a host account using the setspn.exe and ktpass.exe command line utilities included in the Windows 2003/2008 Support Tools. These commands need to be executed by a domain administrator, preferably on the machine on which the jbossuser user account was created on. It is important to notice the capital casing of the realm, but only after the ‘@’ sign.
- props/spnego-users.properties
- props/spnego-roles.properties “props” is meant to be a directory within ${JBOSS_HOME}/server/${server_config}/conf. spnego-users.properties is to remain empty, but spnego-roles.properties needs to include each of the user=role mappings required to access the application, e.g.:
- select the 'Security' tab
- ensure that 'Local intranet' is highlighted and click the 'Sites' command button.
- enter the URL of the server hosting the JBoss installation (e.g. http://jbossserver.six.com) and click on 'Add'. After restarting Internet Explorer, it should be sufficient for Internet Explorer to trust the JBoss installation and to perform the SPNEGO negotiation. Feel free to get in touch if you need more info.
this article is an ammendment to the jboss negotiation project documentation and a jboss community thread. the reason for this article, is that at times i felt that the documentation was ambigiuos and on occasion also lacking some important information. so here's my take on it, which made SSO work for me...after copious hours of elbow grease i might add.
•As an example, you may want to access an SSO enabled jboss server as follows: http://jbossserver.six.com. For the purpose of the documentation to come, 'jbossserver' is referring to the machine name, 'six' is referring to the domain and 'six.com' is referring to the realm.
•Download the “JBoss Negotiation Project” (JBossNegotiation - 2.0.3.GA)
•Unpack and copy jboss-negotiation-2.0.3.GA.jar to: ${JBOSS_HOME}/server/${server_config}/lib
•Add an entry to ${JBOSS_HOME}/server/${server_config}/deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml.
Within this descriptor you should see a set of authenticators defined using a property called "authenticators". Add the following entry:
<entry> <key>SPNEGO</key> <value>org.jboss.security.negotiation.NegotiationAuthenticator</value> </entry>•In order for JBoss to identify itself against a specific realm and kdc (e.g. kdserver.six.com), include the following as system properties within {jboss.home}/server/${server_config}/deploy/properties-service.xml:
<attribute name="Properties">
java.security.krb5.kdc=kdcserver.six.com
java.security.krb5.realm=SIX.COM
</attribute>
•Create an Active Directory user account e.g. jbossuser with a suitable password. Note: Do not create a user with the same name as the JBoss machine/server name (jbossserver). When creating the user, use the following properties:
a) User cannot change password (true/checked)b) Password never expires (true/checked)
c) Use DES encryption types for this account (false/unchecked)
d) Do not require Kerberos preauthentication (true/checked) Note: It is very important to remember that this account should under no circumstances be used as a regular user account. Activities such as logging into the domain on any given Windows machine as jbossuser should not be done. •The jbossuser Active Directory user account needs to be mapped to a host account using the setspn.exe and ktpass.exe command line utilities included in the Windows 2003/2008 Support Tools. These commands need to be executed by a domain administrator, preferably on the machine on which the jbossuser user account was created on. It is important to notice the capital casing of the realm, but only after the ‘@’ sign.
setspn.exe -a HTTP/jbossserver.six.com@SIX.COM jbossuserThe following command can be used to list, thus confirm, the successful mapping of principal name to user account.
setspn.exe -l jbossuser•The Windows Server ktpass.exe command line utility takes the jbossuser user and maps it as a trusted host, in this case you would need to execute the following command:
ktpass -princ HTTP/jbossserver.six.com@SIX.COM -pass * -mapuser SIX\jbossuser –out•The ktab.exe (Kerberos key table manager) Java SDK Development utility is then used to export the keytab that will be used by the application server using the following command. It is strongly advised to use the same java version as used by the JBoss application server.
c:\jbossuser.http.keytab
ktab -k c:\jbossuser.http.keytab -a jbossuser@SIX.COM•The application server requires a security domain that it can use to first authenticate against the KDC. In order to configure this, a keytab will be required for the principal that represents the application server. Below is an example host security domain to be added to ${JBOSS_HOME}/server/${server_config}/conf/login-config.xml. Remember to adjust the location path of the keyTab:
<application-policy name="host">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storeKey">true</module-option>
<module-option name="useKeyTab">true</module-option>
<module-option name="principal">HTTP/jbossserver.six.com@SIX.COM</module-option>
<module-option name="keyTab">/usr/local/jbossuser.http.keytab</module-option>
<module-option name="doNotPrompt">true</module-option>
<module-option name="debug">true</module-option>
</login-module>
</authentication>
</application-policy>
•The application also requires it's own security domain to be defined with a login module to work in connection with the NegotiationAuthenticator.
For starters, the configuration requires two property files:- props/spnego-users.properties
- props/spnego-roles.properties “props” is meant to be a directory within ${JBOSS_HOME}/server/${server_config}/conf. spnego-users.properties is to remain empty, but spnego-roles.properties needs to include each of the user=role mappings required to access the application, e.g.:
jdoe@SIX.COM=Users•Add the below to the ${JBOSS_HOME}/server/${server_config}/conf/login-config.xml:
<application-policy name="SPNEGO">
<authentication>
<login-module
code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule"
flag="requisite">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="serverSecurityDomain">host</module-option>
</login-module>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="usersProperties">props/spnego-users.properties</module-option>
<module-option name="rolesProperties">props/spnego-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>
•By default Internet Explorer only performs SPNEGO authentication against sites in the 'Local intranet' zone.
- open the 'Internet Options' from the 'Tools' menu- select the 'Security' tab
- ensure that 'Local intranet' is highlighted and click the 'Sites' command button.
- enter the URL of the server hosting the JBoss installation (e.g. http://jbossserver.six.com) and click on 'Add'. After restarting Internet Explorer, it should be sufficient for Internet Explorer to trust the JBoss installation and to perform the SPNEGO negotiation. Feel free to get in touch if you need more info.
herzlich willkommen! i'm a german speaking south african currently living and working in munich, germany. i'm a java, grails, groovy software developer and one might notice my site being a bit of a geek's sandpit. feel free to have a gander!
andreas nerlich
software developer
munich, germany
sms or contact me
my recent tweets
• Liking the new priority inbox feature of #gmail (posted )
• Blimey Nora, been struggling with #grails classloading issues for run-app & test-app. To the rescue: Scripting events http://is.gd/ePpzX (posted )
• So many scores to check after first day of #usopen,my favourite tennis grand slam! Federer's #tweener a must see:http://youtu.be/grGYJBew62w (posted )
i built this blogging engine with groovy & grails | source code