using Java 6 Kerberos provider for http client connections
arvoreen May 9, 2007 4:44 PMSo I have a web app that does not define ANY authentication requirements (legacy app, handles authentication/authorization internally).
This application is also making client http connections to other resources and it needs to do so using the integrated Java 6 kerberos login provider, so that it can connect via NTLM and/or SPNEGGO to Windows pages.
However, when I first make the client connection attempt, I get
org.jboss.security.auth.spi.UsersRolesLoginModule Failed to load users/passwords/role files java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found at org.jboss.security.auth.spi.Util.loadProperties(Util.java:315) at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186) at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200) at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703) at javax.security.auth.login.LoginContext.login(LoginContext.java:575) at sun.security.jgss.GSSUtil.login(GSSUtil.java:246) at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:136) at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:331) at java.security.AccessController.doPrivileged(Native Method) at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:328) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:128) at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106) at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:172) at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:209) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162) at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.java:846) at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:304) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162) at sun.net.www.protocol.http.NegotiatorImpl.init(NegotiatorImpl.java:86) at sun.net.www.protocol.http.NegotiatorImpl.<init>(NegotiatorImpl.java:95) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:513) at sun.net.www.protocol.http.Negotiator.getSupported(NegotiateAuthentication.java:265) at sun.net.www.protocol.http.NegotiateAuthentication.isSupported(NegotiateAuthentication.java:106) at sun.net.www.protocol.http.AuthenticationHeader.parse(AuthenticationHeader.java:170) at sun.net.www.protocol.http.AuthenticationHeader.<init>(AuthenticationHeader.java:119) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1070) at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:373)
So I tried to setup an auth policy that points directly to the KRB5 modules in the login-config.xml
<!-- KRB5 Policy --> <application-policy name="krb5"> <authentication> <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required"> <module-option name="storeKey">true</module-option> <module-option name="keyTab">/etc/eonkeytab</module-option> <module-option name="doNotPrompt">true</module-option> <module-option name="useKeyTab">true</module-option> <module-option name="realm">AMS.GBLXINT.COM</module-option> <module-option name="principal">HTTP/dlktzt79.ams.gblxint.com@AMS.GBLXINT.COM</module-option> <module-option name="useTicketCache">true</module-option> <module-option name="debug">true</module-option> </login-module> </authentication> </application-policy>
and added the following to the jboss-web.xml
<security-domain>java:/jaas/krb5</security-domain>
No luck whatsoever...same errors occuring.
Anyone have any pointers?