jms topic authenticated by Kerberos
lionelds Nov 9, 2005 1:50 PMIs it possible for a topic to be authenticated using Kerberos? I don't want to pass the user/password to the server.
I am using Jboss-4.0.2.
Here's my configuration.
login-config.xml
<application-policy name = "csekrb5"> <authentication> <login-module code = "com.sun.security.auth.module.Krb5LoginModule" flag = "required" > <module-option name="useKeyTab">false</module-option> <module-option name="storeKey">true</module-option> <module-option name="useTicketCache">true</module-option> <module-option name="debug">true</module-option> </login-module> <login-module code = "org.jboss.security.ClientLoginModule" flag = "required"> </login-module> </authentication> </application-policy>
jboss-service.xml
<mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=SecurityManager"> <attribute name="DefaultSecurityConfig"> <security> <role name="guest" read="true" write="true" create="true"/> </security> </attribute> <attribute name="SecurityDomain">java:/jaas/csekrb5</attribute> <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends> </mbean>
jbossm-destinations-service.xml
<mbean code="org.jboss.mq.server.jmx.Topic" name="jboss.mq.destination:service=Topic,name=secureTestTopic"> <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends> <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends> <attribute name="SecurityConf"> <security> <role name="guest" read="true" write="true"/> <role name="Test" read="true" write="true" create="false"/> <role name="publisher" read="true" write="true" create="false"/> <role name="durpublisher" read="true" write="true" create="true"/> </security> </attribute> </mbean>
The trace of the error on the server (BTW, the jboss user is local to the server.)
09:35:09,010 INFO [STDOUT] Debug is true storeKey true useTicketCache true useKeyTab false doNotPrompt false ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
09:35:09,010 INFO [STDOUT] Acquire TGT from Cache
09:35:09,022 INFO [STDOUT] Principal is null
09:35:09,023 INFO [STDOUT] null credentials from Ticket Cache
09:35:09,034 INFO [STDOUT] [Krb5LoginModule] user entered username: jboss
09:35:09,758 INFO [STDOUT] principal is jboss@COMPANY.COM
09:35:09,758 INFO [STDOUT] Acquire TGT using AS Exchange
09:35:09,759 INFO [STDOUT] EncryptionKey: keyType=3 keyBytes (hex dump)=0000: E3 29 8A 15 40 29 C4 98
09:35:09,760 INFO [STDOUT] EncryptionKey: keyType=1 keyBytes (hex dump)=0000: E3 29 8A 15 40 29 C4 98
09:35:09,761 INFO [STDOUT] EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 08 54 C2 04 02 CB 19 CE FB A2 D5 C7 B5 C4 1F B9 .T..............
0010: 08 0E 13 19 DC 3B 67 32
09:35:09,793 INFO [STDOUT] [Krb5LoginModule] authentication failed
Client not found in Kerberos database (6) - Client not found in Kerberos database
On the client I see
Topic name is topic/secureTestTopic
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null KeyTab is null refreshKrb5Config is false principal is lionel tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is lionel@COMPANY.COM
Commit Succeeded
Subject is Subject:
Principal: lionel@COMPANY.COM
Private Credential: Ticket (hex) =
Client Principal = lionel@COMPANY.COM
Server Principal = krbtgt/COMPANY.COM@COMPANY.COM
Session Key = EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: D5 FE EC 7C 08 94 0E CE
Forwardable Ticket false
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Wed Nov 09 09:21:00 PST 2005
Start Time = Wed Dec 31 16:00:00 PST 1969
End Time = Wed Nov 09 19:21:00 PST 2005
Renew Till = Null
Client Addresses clientAddresses[0] = /xxx.xxx.xxx.xxx
Authentication succeeded!
Exception occurred: javax.jms.JMSSecurityException: User: null is NOT authenticated
How do I make the server use the clients ticket to authenticate to the topic.
Thanks,