1 Reply Latest reply on May 6, 2010 10:55 PM by calrain

    JAX-WS with JBoss Negotiation

    flohack
    flohack Apr 22, 2010 11:33 AM

      Hi!

       

      We have a problem with the JBoss negotiate module and a Java client accessing Jboss over HTTP using SPNEGO. In fact we want to call a web service, but we can reproduce the problem with a simple URL connection. The problem is that second HTTP response from JBoss is a 200 without any content. So the HTTP traffic is like:

      1    0.000000    194.48.68.23    10.1.101.147    HTTP    GET /Service?wsdl HTTP/1.1

      2    0.004617    10.1.101.147    194.48.68.23    HTTP    HTTP/1.1 401 Unauthorized  (text/html)

      WWW-Authenticate: Negotiate

      20    0.506055    194.48.68.23    10.1.101.147    HTTP    GET /Service?wsdl HTTP/1.1

      Authorization: Negotiate YIIEqAYJKoZIhvcSAQI....

      22    0.509754    10.1.101.147    194.48.68.23    HTTP    HTTP/1.1 200 OK

      HTTP/1.1 200 OK
      Server: Apache-Coyote/1.1
      Pragma: No-cache
      Cache-Control: no-cache
      Expires: Thu, 01 Jan 1970 01:00:00 CET
      Set-Cookie: JSESSIONID=E2EE81A95B3622CE666F29ACCBA02354; Path=/i2gpm
      Transfer-Encoding: chunked
      Date: Thu, 22 Apr 2010 15:02:17 GMT

       

      0

       

      So, the Session id is there, but no content at all. If I request the same URL with firefox the traffic is like:

      47    23.795866    194.48.68.23    10.1.101.147    HTTP    GET /Service?wsdl HTTP/1.1

      48    23.801357    10.1.101.147    194.48.68.23    HTTP    HTTP/1.1 401 Unauthorized  (text/html)

      WWW-Authenticate: Negotiate

      53    23.845475    194.48.68.23    10.1.101.147    HTTP    GET /Service?wsdl HTTP/1.1

      Authorization: Negotiate YIIK8wYGKwYBBQUCoIIK5zCCCuOgMDAuB..

      55    23.865853    10.1.101.147    194.48.68.23    HTTP    HTTP/1.1 401 Unauthorized  (text/html)

      Set-Cookie: JSESSIONID=98E17BF573A0468D416584C9F16F5AEF; Path=/

      WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg==

      60    23.877610    194.48.68.23    10.1.101.147    HTTP    GET /Service?wsdl HTTP/1.1

      Cookie: JSESSIONID=98E17BF573A0468D416584C9F16F5AEF

      Authorization: Negotiate oYIKujCCCragAwoBAaKCCq0Eggqp...

      621    154.649824    10.1.101.147    194.48.68.23    HTTP    Continuation or non-HTTP traffic

       

      As you can see, there is one more roundtrip involved in the SPNEGO authentication and the final step is a HTTP continuation with the actual data

       

      The Java client does:

       

           BufferedInputStream content = (BufferedInputStream)new URL("http://rzmsv147:18080/Service?wsdl").getContent();
              InputStreamReader reader = new InputStreamReader(content);
              BufferedReader bufReader = new BufferedReader(reader);
              String str = null;
              while((str = bufReader.readLine()) != null) {
                  System.out.print(str);
              }

       

      And has the following configuration related to Kerberos:

      -Dhttp.auth.preference=Kerberos

      -Djava.security.auth.login.config=res\jaas.conf

      -Djava.security.krb5.conf=res\krb5.conf

      -Djavax.security.auth.useSubjectCredsOnly=false

       

      jaas.conf:

      -------------------------

      com.sun.security.jgss.krb5.initiate {
          com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache=true doNotPrompt=false;
      };

      -------------------------

       

      krb5.conf:

      -------------------------

      [libdefaults]
          default_realm = INTRA.COMP.AT
          default_tgs_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-md5 des-cbc-crc des-cbc-md4
          default_tkt_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-md5 des-cbc-crc des-cbc-md4
          udp_preference_limit = 1
      [realms]
          INTRA.COMP.AT = {
              kdc = kdc.comp.at:kdc1.comp.at
          }
      [domain_realms]
          .intra = INTRA.COMP.AT

      -------------------------

       

      Any ideas why the SPNEGO authentication works with firefox, but not with the Java client? This is on Windows 7 with Java 1.6 on the client and JBoss Negotiation 2.0.3.SP1 on the server.

       

      Thanks in advance, Florian

        • 1. Re: JAX-WS with JBoss Negotiation
          calrain May 6, 2010 10:55 PM (in response to flohack)

          Two things I would try:

          Firstly:

          Modify your krb5.conf file to have these two lines:

          default_tgs_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc des-cbc-md4
          default_tkt_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc des-cbc-md4

          That drops the higher encryption types to support rc4-hmac, which is still pretty strong at 128 bit encryption anyways.

           

          Second thing

          With Windows 7 and Windows 2008, Microsoft changed the default encryption protocols that are supported.
          http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx


          If the first step above doesn't work, then I would modify the GPO on your 2008 and Win 7 boxes to support the two DES encryption types (unlike XP and 2003 they are now disabled by default) in addition to the default values.

           

          The GPO setting is located in:

          Security Settings | Local Policies | Security Options | Network Security: Configure encryption types allowed for Kerberos

           

          See how that goes.  If you can, please update this thread if it works.

           

          Cheers,

           

          David

            • Actions