Hello Anil,

I tried to use SSO with EJB.

I downloaded the JBoss Server 5.1.0GA and the jboss-negotiation.jar that can be found on the page. As I never worked with JBoss 5.x I copied the jar to [JBOSS]/common/lib and [JBOSS]/server/default/lib. I replaced the existing jar. 

Then I deployed the EJB that is also on the page.

Then I started the client side java program.

As I did not start the program from the client folder of JBoss I had to copy many jars into my folder where I put my class file to avoid this error: 

java.lang.ClassCastException: javax.naming.Reference

Running the program throws an exception on the server side:

 
08:48:00,487 ERROR[SocketServerInvoker]Thread[AcceptorThread[ServerSocket[addr=/192.168.220.10,port=0,localport=3873]],5,jboss]failedto handle socket
java.io.IOException: java.lang.NegativeArraySizeException
        at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.accept(SPNEGOServerSocket.java:137)
        at org.jboss.remoting.transport.socket.SocketServerInvoker.accept(SocketServerInvoker.java:1109)
        at org.jboss.remoting.transport.socket.SocketServerInvoker.access$200(SocketServerInvoker.java:70)
        at org.jboss.remoting.transport.socket.SocketServerInvoker$AcceptThread.run(SocketServerInvoker.java:1020)
Caused by: java.lang.NegativeArraySizeException
        at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.acceptSocket(SPNEGOServerSocket.java:181)
        at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.accept(SPNEGOServerSocket.java:132)
        ... 3 more

The only difference between the configurations is this:

<module-option name="principal">jboss/mmoyses@EXAMPLE.COM</module-option>

As I do not know jboss/... I tried this: 

<module-option name="principal">http/server.example.com@EXAMPLE.COM</module-option>

and

<module-option name="principal">host/server.example.com@EXAMPLE.COM</module-option>

Changing some classes and the configuration let me go further. But at the end I still do not have success.

Invoking the test client on the server side there is an exception:

2011-01-12 15:32:10,654 ERROR [org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket] (AcceptorThread[ServerSocket[addr=/192.168.220.10,port=0,localport=3873]]) Error parsing/decoding ticket: Checksum failed
org.jboss.security.negotiation.NegotiationException: Checksum failed
    at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:78)
    at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:67)
    at org.jboss.security.negotiation.spnego.encoding.TokenParser.decrypt(TokenParser.java:291)
    at org.jboss.security.negotiation.spnego.encoding.TokenParser.handleEncryptedData(TokenParser.java:188)
    at org.jboss.security.negotiation.spnego.encoding.TokenParser.parseToken(TokenParser.java:78)
    at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.getClientPrincipal(SPNEGOServerSocket.java:344)
    at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.acceptSocket(SPNEGOServerSocket.java:211)
    at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.accept(SPNEGOServerSocket.java:132)
    at org.jboss.remoting.transport.socket.SocketServerInvoker.accept(SocketServerInvoker.java:1109)
    at org.jboss.remoting.transport.socket.SocketServerInvoker.access$200(SocketServerInvoker.java:70)
    at org.jboss.remoting.transport.socket.SocketServerInvoker$AcceptThread.run(SocketServerInvoker.java:1020)
Caused by: java.security.GeneralSecurityException: Checksum failed
    at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:125)
    at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:74)
    ... 10 more

I checked and rechecked the keytab files on the client and server side.

Even there is thrown this exception the loginmodules run successfully. It seems that the loginmodules are invoked two times. The first time when looking up for the bean. Then the userroles are set correctly:

2011-01-12 15:32:10,670 TRACE[org.jboss.security.auth.spi.UsersRolesLoginModule](AcceptorThread[ServerSocket[addr=/192.168.220.10,port=0,localport=3873]])Checking user: user@EXAMPLE.COM, roles string:JBossAdmin,HttpInvoker,Users
2011-01-12 15:32:10,670 TRACE[org.jboss.security.auth.spi.UsersRolesLoginModule](AcceptorThread[ServerSocket[addr=/192.168.220.10,port=0,localport=3873]])Adding to Roles: JBossAdmin,HttpInvoker,Users 

If the the method is invoked  the SPNEGOLoginModule has lost its NegotiationContext or has never created one.

Now I am not sure where my error is. Is it only a configuration error - and what should be done to get it working.

What I changed:

1. InitSPNEGOContextAction.java

    GSSName serverName = manager.createName("jboss/mmoyses", null);

    --> Changed the nameString (just to test if this helps)

2. ejb3-connectory-jboss-beans.xml

     As the socketFactory parameter never run I added also a socketFactoryClassName=...

Thank you,

Georg

Hi Anil,

This very cool stuff - I am thrilled you are working on it.

I have a webStart application that uses jboss remoting (and JBoss 4.2.2) and the Http:univoker for SSL and port 8080 Firewall friendly access. What are your thoughts on Spnego/Kerberos and EJB3 with Jboss remoting over the Unified Invoker? Is this going to be a configuration task or is there some technical barrier to getting it accomplished?

Thanks,

Craig

Some feedback as requested by Anil (I tried this on JBoss 6.0.0 with JBoss Negotiation 2.1.0):

I ran into the same error as Georg mentioned.

I just finished a successful implementation of a custom SSO kerberos login module for Glassfish to acces EJB3s from a Swing client so I'm sure my kerberos/windows AD configuration, keytab etc are correct.

16:21:07,121 ERROR [org.jboss.security.negotiation.net.SPNEGOServerSocket] Error parsing/decoding ticket: Checksum failed: org.jboss.security.negotiation.NegotiationException: Checksum failed

        at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:78) [:2.1.0.GA]

        at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:67) [:2.1.0.GA]

        at org.jboss.security.negotiation.spnego.encoding.TokenParser.decrypt(TokenParser.java:291) [:2.1.0.GA]

        at org.jboss.security.negotiation.spnego.encoding.TokenParser.handleEncryptedData(TokenParser.java:188) [:2.1.0.GA]

        at org.jboss.security.negotiation.spnego.encoding.TokenParser.parseToken(TokenParser.java:78) [:2.1.0.GA]

        at org.jboss.security.negotiation.net.SPNEGOServerSocket.getClientPrincipal(SPNEGOServerSocket.java:344) [:2.1.0.GA]

        at org.jboss.security.negotiation.net.SPNEGOServerSocket.acceptSocket(SPNEGOServerSocket.java:211) [:2.1.0.GA]

        at org.jboss.security.negotiation.net.SPNEGOServerSocket.accept(SPNEGOServerSocket.java:132) [:2.1.0.GA]

        at org.jboss.remoting.transport.socket.SocketServerInvoker.accept(SocketServerInvoker.java:1145) [:6.0.0.Final]

        at org.jboss.remoting.transport.socket.SocketServerInvoker.access$200(SocketServerInvoker.java:69) [:6.0.0.Final]

        at org.jboss.remoting.transport.socket.SocketServerInvoker$AcceptThread.run(SocketServerInvoker.java:1056) [:6.0.0.Final]

Caused by: java.security.GeneralSecurityException: Checksum failed

        at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:125) [:2.1.0.GA]

        at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:74) [:2.1.0.GA]

        ... 10 more

Would love to receive some directions to solve this or hear some experiences from other users.

I think there is one typo in the original article:

<parameter>socket:.....SPNEGOSocketFactory&useAllSocketFactoryParams=true</parameter>

Should be ("&" should be "&amp;")

<parameter>socket:.....SPNEGOSocketFactory&amp;useAllSocketFactoryParams=true</parameter>

Hi Georg,

im currently stuck at the NegativeArraySize problem too. Do you know what you've changed to get further?

Did you also solve the "Checksum failed" - problem in the meantime?

Thanks in advance for your help

Christian

Hi Christian,

as I mentioned above I only changed the class InitSPNEGOContextAction.java and the ejb3-connectory-jboss-beans.xml as Jan also mentioned. But I gave up using SSO with JBoss 4.2.3. As I never could solve the "Checksum failded" problem.

Hope this helps - good luck,

Georg

Hi Georg,

I've put a breakpoint at the line you've mentioned, but this one is never reached.

Also this class is used by the SPNEGOSocket class, but the NegativeArraySizeException occurs in the SPNEGOServerSocket class.

I'm trying to use this stuff in JBoss AS 5.1.0.GA. Now I'd triyed it again after setting up a clean Kerberos configuration but the NegativeArraySizeException problem remained.

I've changed the code a bit and have found out that the client for my test always sends an int of -1393754107 for the first 4 bytes (0xac, 0xed, 0x00, 0x05) that are processed by the server code which causes the problem.

I suspect that something else needs to be configured at the client side, as I've checked the steps in the description over and over. Any Ideas?

Kind regards

Christian

Hi,

This tutorial is very interesting, but it leads me to the same problem as Christian, even though I've been using Jboss AS 6.1.0 and Negotiation 2.1.0 (GA):

17:37:40,953 ERROR [org.jboss.remoting.transport.socket.SocketServerInvoker] Thread[AcceptorThread[ServerSocket[addr=/127.0.0.1,port=0,localport=3873]],5,jboss] failed to handle socket: java.io.IOException: java.lang.NegativeArraySizeException

  at org.jboss.security.negotiation.net.SPNEGOServerSocket.accept(SPNEGOServerSocket.java:137) [:2.1.0.GA]

  at org.jboss.remoting.transport.socket.SocketServerInvoker.accept(SocketServerInvoker.java:1169) [:6.1.0.Final]

  at org.jboss.remoting.transport.socket.SocketServerInvoker.access$200(SocketServerInvoker.java:69) [:6.1.0.Final]

  at org.jboss.remoting.transport.socket.SocketServerInvoker$AcceptThread.run(SocketServerInvoker.java:1080) [:6.1.0.Final]

Caused by: java.lang.NegativeArraySizeException

  at org.jboss.security.negotiation.net.SPNEGOServerSocket.acceptSocket(SPNEGOServerSocket.java:181) [:2.1.0.GA]

  at org.jboss.security.negotiation.net.SPNEGOServerSocket.accept(SPNEGOServerSocket.java:132) [:2.1.0.GA]

  ... 3 more

Do you have any idea about the cause of this problem and how to solve it? Thanks.

Hi all,

Can anyone help me to setup EJB3 authentication when using JBoss Negotiation 2.1.1 on JBoss 4.2.3? JBoss Negotiaton is really a nice solution but I'm having some problems detailed on https://community.jboss.org/thread/219727?tstart=0

Thanks in advance.