Minimal JBoss config to use GSSAPI/Kerberos acceptSecContext
chriscorbell Feb 25, 2009 4:32 PMHi,
I'm hoping for some pointers on getting GSSAPI/Kerberos auth working in my JBoss-hosted application.
My challenge is that I'm attempting a very streamlined use of GSSAPI/Kerberos which seems to not be covered by most of the JBoss examples and threads out there, so I don't have a working code sample to start from. The single goal is to have acceptSecContext() succeed in validating the bytes of a (Kerberos) GSSAPI context token that the server has received.
The GSSAPI token is sent (base-64-encoded) in the payload of a SOAP message from rich C++ clients running on Mac and Windows - I am not trying to use WS-Security, SOAP headers, HTTP headers, Browser-based authentication, no direct use JAAS Subjects and Principals, etc. The bulk of the documentation on JBoss and Kerberos (including Negotiate) tends to assume use of one or more layers or API's that don't apply here, so it's been tricky trying to tease out what configuration instructions might apply to basic GSSAPI functioning and what's actually supporting other server-side behaviors.
I've attempted to follow Sun's tutorial on using GSSAPI without JAAS, and modifying run.sh I've had a little success at least in verifying the standard system properties are set and getting to square 1 with a GSSManager instance.
FWIW, the system properties I'm defining in run.sh are java.security.krb5.realm, java.security.krb5.kdc, javax.security.auth.useSubjectCredsOnly, and java.security.auth.login.config (not sure if the last one really gets used, the environment seems to prefer the login module from login-config.xml)
I've also defined an "other" security context in login-config.xml for com.sun.security.auth.module.Krb5LoginModule, and enabled security debug logging. The settings here do get dumped in debugging when I try to use GSSManager and friends, but I'm getting this exception when I try to create a GSSCredential object for the service:
2009-02-25 13:12:54,198 ERROR [STDERR] Feb 25, 2009 1:12:54 PM com.sun.xml.ws.server.PeptTie setRuntimeException SEVERE: fault.InvalidCredentialsException: Exception from GSSAPI; nested exception is: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!) javax.xml.ws.soap.SOAPFaultException: fault.InvalidCredentialsException: Exception from GSSAPI; nested exception is: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
The line that's causing this is a simple:
GSSCredentials myCred = manager.createCredential(servicePrincipalName, GSSCredential.INDEFINITE_LIFETIME, KERBEROS_OID, GSSCredential.ACCEPT_ONLY);
Any suggestions? Are there any great tutorials or examples out there I've overlooked which show how to do this type of barebones GSSAPI/Kerberos configuration for a JBoss app?
TIA,
Chris