9 Replies Latest reply on Jan 15, 2013 2:08 PM by bmateus
      • 1. EJB3 and SPNego/Kerberos
        schorsch07

        Hello Anil,

         

        I tried to use SSO with EJB.

         

        I downloaded the JBoss Server 5.1.0GA and the jboss-negotiation.jar that can be found on the page. As I never worked with JBoss 5.x I copied the jar to [JBOSS]/common/lib and [JBOSS]/server/default/lib. I replaced the existing jar. 

        Then I deployed the EJB that is also on the page.

         

        Then I started the client side java program.

        As I did not start the program from the client folder of JBoss I had to copy many jars into my folder where I put my class file to avoid this error: 

        java.lang.ClassCastException: javax.naming.Reference

         

        Running the program throws an exception on the server side:

         

        08:48:00,487 ERROR[SocketServerInvoker]Thread[AcceptorThread[ServerSocket[addr=/192.168.220.10,port=0,localport=3873]],5,jboss]failedto handle socket

        java.io.IOException: java.lang.NegativeArraySizeException

                at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.accept(SPNEGOServerSocket.java:137)

                at org.jboss.remoting.transport.socket.SocketServerInvoker.accept(SocketServerInvoker.java:1109)

                at org.jboss.remoting.transport.socket.SocketServerInvoker.access$200(SocketServerInvoker.java:70)

                at org.jboss.remoting.transport.socket.SocketServerInvoker$AcceptThread.run(SocketServerInvoker.java:1020)

        Caused by: java.lang.NegativeArraySizeException

                at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.acceptSocket(SPNEGOServerSocket.java:181)

                at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.accept(SPNEGOServerSocket.java:132)

                ... 3 more

         

        The only difference between the configurations is this:

        <module-option name="principal">jboss/mmoyses@EXAMPLE.COM</module-option>

        As I do not know jboss/... I tried this: 

        <module-option name="principal">http/server.example.com@EXAMPLE.COM</module-option>

        and

        <module-option name="principal">host/server.example.com@EXAMPLE.COM</module-option>

        • 2. EJB3 and SPNego/Kerberos
          schorsch07

          Changing some classes and the configuration let me go further. But at the end I still do not have success.

           

          Invoking the test client on the server side there is an exception:

          2011-01-12 15:32:10,654 ERROR [org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket] (AcceptorThread[ServerSocket[addr=/192.168.220.10,port=0,localport=3873]]) Error parsing/decoding ticket: Checksum failed

          org.jboss.security.negotiation.NegotiationException: Checksum failed

              at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:78)

              at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:67)

              at org.jboss.security.negotiation.spnego.encoding.TokenParser.decrypt(TokenParser.java:291)

              at org.jboss.security.negotiation.spnego.encoding.TokenParser.handleEncryptedData(TokenParser.java:188)

              at org.jboss.security.negotiation.spnego.encoding.TokenParser.parseToken(TokenParser.java:78)

              at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.getClientPrincipal(SPNEGOServerSocket.java:344)

              at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.acceptSocket(SPNEGOServerSocket.java:211)

              at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.accept(SPNEGOServerSocket.java:132)

              at org.jboss.remoting.transport.socket.SocketServerInvoker.accept(SocketServerInvoker.java:1109)

              at org.jboss.remoting.transport.socket.SocketServerInvoker.access$200(SocketServerInvoker.java:70)

              at org.jboss.remoting.transport.socket.SocketServerInvoker$AcceptThread.run(SocketServerInvoker.java:1020)

          Caused by: java.security.GeneralSecurityException: Checksum failed

              at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:125)

              at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:74)

              ... 10 more

           

          I checked and rechecked the keytab files on the client and server side.

           

          Even there is thrown this exception the loginmodules run successfully. It seems that the loginmodules are invoked two times. The first time when looking up for the bean. Then the userroles are set correctly:

          2011-01-12 15:32:10,670 TRACE[org.jboss.security.auth.spi.UsersRolesLoginModule](AcceptorThread[ServerSocket[addr=/192.168.220.10,port=0,localport=3873]])Checking user: user@EXAMPLE.COM, roles string:JBossAdmin,HttpInvoker,Users

          2011-01-12 15:32:10,670 TRACE[org.jboss.security.auth.spi.UsersRolesLoginModule](AcceptorThread[ServerSocket[addr=/192.168.220.10,port=0,localport=3873]])Adding to Roles: JBossAdmin,HttpInvoker,Users

           

          If the the method is invoked  the SPNEGOLoginModule has lost its NegotiationContext or has never created one.

           

          Now I am not sure where my error is. Is it only a configuration error - and what should be done to get it working.

           

          What I changed:

           

          1. InitSPNEGOContextAction.java

              GSSName serverName = manager.createName("jboss/mmoyses", null);

              --> Changed the nameString (just to test if this helps)

           

          2. ejb3-connectory-jboss-beans.xml

               As the socketFactory parameter never run I added also a socketFactoryClassName=...

           

          Thank you,

          Georg

          • 3. EJB3 and SPNego/Kerberos
            cduerr

            Hi Anil,

             

            This very cool stuff - I am thrilled you are working on it.

             

            I have a webStart application that uses jboss remoting (and JBoss 4.2.2) and the Http:univoker for SSL and port 8080 Firewall friendly access. What are your thoughts on Spnego/Kerberos and EJB3 with Jboss remoting over the Unified Invoker? Is this going to be a configuration task or is there some technical barrier to getting it accomplished?

             

            Thanks,

             

            Craig

            • 4. Re: EJB3 and SPNego/Kerberos
              snelders

              Some feedback as requested by Anil (I tried this on JBoss 6.0.0 with JBoss Negotiation 2.1.0):

               

              I ran into the same error as Georg mentioned.

               

              I just finished a successful implementation of a custom SSO kerberos login module for Glassfish to acces EJB3s from a Swing client so I'm sure my kerberos/windows AD configuration, keytab etc are correct.

               

              16:21:07,121 ERROR [org.jboss.security.negotiation.net.SPNEGOServerSocket] Error parsing/decoding ticket: Checksum failed: org.jboss.security.negotiation.NegotiationException: Checksum failed

                      at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:78) [:2.1.0.GA]

                      at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:67) [:2.1.0.GA]

                      at org.jboss.security.negotiation.spnego.encoding.TokenParser.decrypt(TokenParser.java:291) [:2.1.0.GA]

                      at org.jboss.security.negotiation.spnego.encoding.TokenParser.handleEncryptedData(TokenParser.java:188) [:2.1.0.GA]

                      at org.jboss.security.negotiation.spnego.encoding.TokenParser.parseToken(TokenParser.java:78) [:2.1.0.GA]

                      at org.jboss.security.negotiation.net.SPNEGOServerSocket.getClientPrincipal(SPNEGOServerSocket.java:344) [:2.1.0.GA]

                      at org.jboss.security.negotiation.net.SPNEGOServerSocket.acceptSocket(SPNEGOServerSocket.java:211) [:2.1.0.GA]

                      at org.jboss.security.negotiation.net.SPNEGOServerSocket.accept(SPNEGOServerSocket.java:132) [:2.1.0.GA]

                      at org.jboss.remoting.transport.socket.SocketServerInvoker.accept(SocketServerInvoker.java:1145) [:6.0.0.Final]

                      at org.jboss.remoting.transport.socket.SocketServerInvoker.access$200(SocketServerInvoker.java:69) [:6.0.0.Final]

                      at org.jboss.remoting.transport.socket.SocketServerInvoker$AcceptThread.run(SocketServerInvoker.java:1056) [:6.0.0.Final]

              Caused by: java.security.GeneralSecurityException: Checksum failed

                      at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:125) [:2.1.0.GA]

                      at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:74) [:2.1.0.GA]

                      ... 10 more

               

               

              Would love to receive some directions to solve this or hear some experiences from other users.

               

               

              I think there is one typo in the original article:

               

              <parameter>socket:.....SPNEGOSocketFactory&useAllSocketFactoryParams=true</parameter>

               

              Should be ("&" should be "&amp;")

               

              <parameter>socket:.....SPNEGOSocketFactory&amp;useAllSocketFactoryParams=true</parameter>

              • 5. Re: EJB3 and SPNego/Kerberos
                lauerc

                Hi Georg,

                 

                im currently stuck at the NegativeArraySize problem too. Do you know what you've changed to get further?

                Did you also solve the "Checksum failed" - problem in the meantime?

                 

                Thanks in advance for your help

                Christian

                • 6. Re: EJB3 and SPNego/Kerberos
                  schorsch07

                  Hi Christian,

                   

                  as I mentioned above I only changed the class InitSPNEGOContextAction.java and the ejb3-connectory-jboss-beans.xml as Jan also mentioned. But I gave up using SSO with JBoss 4.2.3. As I never could solve the "Checksum failded" problem.

                   

                  Hope this helps - good luck,

                  Georg

                  • 7. Re: EJB3 and SPNego/Kerberos
                    lauerc

                    Hi Georg,

                     

                    I've put a breakpoint at the line you've mentioned, but this one is never reached.

                    Also this class is used by the SPNEGOSocket class, but the NegativeArraySizeException occurs in the SPNEGOServerSocket class.

                     

                    I'm trying to use this stuff in JBoss AS 5.1.0.GA. Now I'd triyed it again after setting up a clean Kerberos configuration but the NegativeArraySizeException problem remained.

                     

                    I've changed the code a bit and have found out that the client for my test always sends an int of -1393754107 for the first 4 bytes (0xac, 0xed, 0x00, 0x05) that are processed by the server code which causes the problem.

                     

                    I suspect that something else needs to be configured at the client side, as I've checked the steps in the description over and over. Any Ideas?

                     

                    Kind regards

                    Christian

                    • 8. Re: EJB3 and SPNego/Kerberos
                      sylvain.decout

                      Hi,

                       

                      This tutorial is very interesting, but it leads me to the same problem as Christian, even though I've been using Jboss AS 6.1.0 and Negotiation 2.1.0 (GA):

                      17:37:40,953 ERROR [org.jboss.remoting.transport.socket.SocketServerInvoker] Thread[AcceptorThread[ServerSocket[addr=/127.0.0.1,port=0,localport=3873]],5,jboss] failed to handle socket: java.io.IOException: java.lang.NegativeArraySizeException

                        at org.jboss.security.negotiation.net.SPNEGOServerSocket.accept(SPNEGOServerSocket.java:137) [:2.1.0.GA]

                        at org.jboss.remoting.transport.socket.SocketServerInvoker.accept(SocketServerInvoker.java:1169) [:6.1.0.Final]

                        at org.jboss.remoting.transport.socket.SocketServerInvoker.access$200(SocketServerInvoker.java:69) [:6.1.0.Final]

                        at org.jboss.remoting.transport.socket.SocketServerInvoker$AcceptThread.run(SocketServerInvoker.java:1080) [:6.1.0.Final]

                      Caused by: java.lang.NegativeArraySizeException

                        at org.jboss.security.negotiation.net.SPNEGOServerSocket.acceptSocket(SPNEGOServerSocket.java:181) [:2.1.0.GA]

                        at org.jboss.security.negotiation.net.SPNEGOServerSocket.accept(SPNEGOServerSocket.java:132) [:2.1.0.GA]

                        ... 3 more

                       

                      Do you have any idea about the cause of this problem and how to solve it? Thanks.

                      • 9. Re: EJB3 and SPNego/Kerberos
                        bmateus

                        Hi all,

                         

                        Can anyone help me to setup EJB3 authentication when using JBoss Negotiation 2.1.1 on JBoss 4.2.3? JBoss Negotiaton is really a nice solution but I'm having some problems detailed on https://community.jboss.org/thread/219727?tstart=0

                         

                        Thanks in advance.