1 Reply Latest reply on Aug 9, 2006 11:30 AM by joseinaciosilvajunior

    jms topic authenticated by Kerberos

    lionelds

      Is it possible for a topic to be authenticated using Kerberos? I don't want to pass the user/password to the server.

      I am using Jboss-4.0.2.

      Here's my configuration.

      login-config.xml

       <application-policy name = "csekrb5">
       <authentication>
       <login-module code = "com.sun.security.auth.module.Krb5LoginModule"
       flag = "required" >
       <module-option name="useKeyTab">false</module-option>
       <module-option name="storeKey">true</module-option>
       <module-option name="useTicketCache">true</module-option>
       <module-option name="debug">true</module-option>
       </login-module>
       <login-module code = "org.jboss.security.ClientLoginModule"
       flag = "required">
       </login-module>
       </authentication>
       </application-policy>
      



      jboss-service.xml
       <mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=SecurityManager">
       <attribute name="DefaultSecurityConfig">
       <security>
       <role name="guest" read="true" write="true" create="true"/>
       </security>
       </attribute>
       <attribute name="SecurityDomain">java:/jaas/csekrb5</attribute>
       <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends>
       </mbean>
      


      jbossm-destinations-service.xml

       <mbean code="org.jboss.mq.server.jmx.Topic"
       name="jboss.mq.destination:service=Topic,name=secureTestTopic">
       <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
       <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
       <attribute name="SecurityConf">
       <security>
       <role name="guest" read="true" write="true"/>
       <role name="Test" read="true" write="true" create="false"/>
       <role name="publisher" read="true" write="true" create="false"/>
       <role name="durpublisher" read="true" write="true" create="true"/>
       </security>
       </attribute>
       </mbean>
      


      The trace of the error on the server (BTW, the jboss user is local to the server.)

      09:35:09,010 INFO [STDOUT] Debug is true storeKey true useTicketCache true useKeyTab false doNotPrompt false ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      09:35:09,010 INFO [STDOUT] Acquire TGT from Cache
      09:35:09,022 INFO [STDOUT] Principal is null
      09:35:09,023 INFO [STDOUT] null credentials from Ticket Cache
      09:35:09,034 INFO [STDOUT] [Krb5LoginModule] user entered username: jboss
      09:35:09,758 INFO [STDOUT] principal is jboss@COMPANY.COM
      09:35:09,758 INFO [STDOUT] Acquire TGT using AS Exchange
      09:35:09,759 INFO [STDOUT] EncryptionKey: keyType=3 keyBytes (hex dump)=0000: E3 29 8A 15 40 29 C4 98
      09:35:09,760 INFO [STDOUT] EncryptionKey: keyType=1 keyBytes (hex dump)=0000: E3 29 8A 15 40 29 C4 98
      09:35:09,761 INFO [STDOUT] EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 08 54 C2 04 02 CB 19 CE FB A2 D5 C7 B5 C4 1F B9 .T..............
      0010: 08 0E 13 19 DC 3B 67 32
      09:35:09,793 INFO [STDOUT] [Krb5LoginModule] authentication failed
      Client not found in Kerberos database (6) - Client not found in Kerberos database


      On the client I see

      Topic name is topic/secureTestTopic
      Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null KeyTab is null refreshKrb5Config is false principal is lionel tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      Acquire TGT from Cache
      Principal is lionel@COMPANY.COM
      Commit Succeeded

      Subject is Subject:
      Principal: lionel@COMPANY.COM
      Private Credential: Ticket (hex) =
      Client Principal = lionel@COMPANY.COM
      Server Principal = krbtgt/COMPANY.COM@COMPANY.COM
      Session Key = EncryptionKey: keyType=1 keyBytes (hex dump)=
      0000: D5 FE EC 7C 08 94 0E CE

      Forwardable Ticket false
      Forwarded Ticket false
      Proxiable Ticket false
      Proxy Ticket false
      Postdated Ticket false
      Renewable Ticket false
      Initial Ticket false
      Auth Time = Wed Nov 09 09:21:00 PST 2005
      Start Time = Wed Dec 31 16:00:00 PST 1969
      End Time = Wed Nov 09 19:21:00 PST 2005
      Renew Till = Null
      Client Addresses clientAddresses[0] = /xxx.xxx.xxx.xxx


      Authentication succeeded!


      Exception occurred: javax.jms.JMSSecurityException: User: null is NOT authenticated


      How do I make the server use the clients ticket to authenticate to the topic.


      Thanks,