2 Replies Latest reply on Jul 12, 2007 2:41 PM by anil.saldhana

    using Java 6 Kerberos provider for http client connections

    arvoreen

      So I have a web app that does not define ANY authentication requirements (legacy app, handles authentication/authorization internally).

      This application is also making client http connections to other resources and it needs to do so using the integrated Java 6 kerberos login provider, so that it can connect via NTLM and/or SPNEGGO to Windows pages.

      However, when I first make the client connection attempt, I get

      org.jboss.security.auth.spi.UsersRolesLoginModule Failed to load users/passwords/role files
      java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
       at org.jboss.security.auth.spi.Util.loadProperties(Util.java:315)
       at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
       at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
       at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
       at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
       at sun.security.jgss.GSSUtil.login(GSSUtil.java:246)
       at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:136)
       at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:331)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:328)
       at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:128)
       at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
       at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:172)
       at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:209)
       at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
       at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
       at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.java:846)
       at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:304)
       at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
       at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
       at sun.net.www.protocol.http.NegotiatorImpl.init(NegotiatorImpl.java:86)
       at sun.net.www.protocol.http.NegotiatorImpl.<init>(NegotiatorImpl.java:95)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
       at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
       at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
       at sun.net.www.protocol.http.Negotiator.getSupported(NegotiateAuthentication.java:265)
       at sun.net.www.protocol.http.NegotiateAuthentication.isSupported(NegotiateAuthentication.java:106)
       at sun.net.www.protocol.http.AuthenticationHeader.parse(AuthenticationHeader.java:170)
       at sun.net.www.protocol.http.AuthenticationHeader.<init>(AuthenticationHeader.java:119)
       at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1070)
       at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:373)
      


      So I tried to setup an auth policy that points directly to the KRB5 modules in the login-config.xml

       <!-- KRB5 Policy -->
       <application-policy name="krb5">
       <authentication>
       <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
       <module-option name="storeKey">true</module-option>
       <module-option name="keyTab">/etc/eonkeytab</module-option>
       <module-option name="doNotPrompt">true</module-option>
       <module-option name="useKeyTab">true</module-option>
       <module-option name="realm">AMS.GBLXINT.COM</module-option>
       <module-option name="principal">HTTP/dlktzt79.ams.gblxint.com@AMS.GBLXINT.COM</module-option>
       <module-option name="useTicketCache">true</module-option>
       <module-option name="debug">true</module-option>
       </login-module>
       </authentication>
       </application-policy>
      


      and added the following to the jboss-web.xml
      <security-domain>java:/jaas/krb5</security-domain>
      


      No luck whatsoever...same errors occuring.

      Anyone have any pointers?

        • 1. Re: using Java 6 Kerberos provider for http client connectio
          moman

          Hey, I'm having the exact same problem and was wondering if you had happened to resolve it.

          I also tried specify the properties like so:

          System.setProperty("java.security.manager", "");
          System.setProperty("java.security.krb5.realm", "kerbdomain");
          System.setProperty("java.security.krb5.kdc", "kerbserver");
          System.setProperty("java.security.policy", "policyfile");
          System.setProperty("java.security.auth.login.config", "conffile");

          I believe the issue is that it can't find the conf file which tells jBoss to use kerberos authentication, and thus it is trying to use the default user / role file auth means (and thus failing cause those files dont exist). I could be wrong though

          Anyways, thx in advance

          • 2. Re: using Java 6 Kerberos provider for http client connectio
            anil.saldhana

            I read someplace that you need something like xxxx.gss.initiate or such jaas login config name. Since it is not finding one, it is defaulting to other.

            Why don;t you enable the security trace level logging for JBoss. Then you will see what is happening with the jaas layer.