2 Replies Latest reply on Nov 9, 2012 8:47 AM by jcacek

Issue while implementing SPNEGO using Jboss Negotiation?

puneet82 Sep 4, 2012 6:13 AM

Hi,

I am implementing "Integrated Windows Authentication" using SPNEGO in JBoss EAP 5.1.2 by referring Jboss Negotiation User Guide. I had completed all the tasks as mentioned in guide with basic SPNEGOLoginModule & UserRolesLoginModule configuration. I have deployed negotiation kit application to the server.

While starting the server I am getting one liner Error as mentioned below:

  ERROR [org.apache.catalina.startup.ContextConfig] (main) Cannot configure an authenticator for method SPNEGO

As mentioned in the guide, I had enabled TRACE. While starting to deploy the app I can see following log:

  2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) ctor, contextID=jboss-negotiation-toolkit-2.0.3.SP1
2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebResourcePermission /Secured/*)
2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToUncheckedPolicy, p=(javax.security.jacc.WebResourcePermission /Secured/*)
2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToUncheckedPolicy, p=(javax.security.jacc.WebResourcePermission /Secured/*)
2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToUncheckedPolicy, p=(javax.security.jacc.WebUserDataPermission /Secured/*)
2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToUncheckedPolicy, p=(javax.security.jacc.WebUserDataPermission /Secured/*)
2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToUncheckedPolicy, p=(javax.security.jacc.WebResourcePermission /:/Secured/*)
2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToUncheckedPolicy, p=(javax.security.jacc.WebUserDataPermission /:/Secured/*)
2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToUncheckedPolicy, p=(javax.security.jacc.WebUserDataPermission /)
2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebRoleRefPermission BasicNegotiation HttpInvoker)
2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebRoleRefPermission NTLMNegotiation HttpInvoker)
2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebRoleRefPermission SecurityDomainTest HttpInvoker)
2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebRoleRefPermission Secured HttpInvoker)
2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebRoleRefPermission HttpInvoker)
2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebRoleRefPermission BasicNegotiation HttpInvoker)
2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebRoleRefPermission NTLMNegotiation HttpInvoker)
2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebRoleRefPermission SecurityDomainTest HttpInvoker)
2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebRoleRefPermission Secured HttpInvoker)
2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebRoleRefPermission HttpInvoker)
2012-09-03 12:13:51,306 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) commit:jboss-negotiation-toolkit-2.0.3.SP1
2012-09-03 12:13:51,310 INFO [org.jboss.web.tomcat.service.deployers.TomcatDeployment] (main) deploy, ctxPath=/jboss-negotiation-toolkit-2.0.3.SP1
2012-09-03 12:13:51,318 ERROR [org.apache.catalina.startup.ContextConfig] (main) Cannot configure an authenticator for method SPNEGO
2012-09-03 12:13:51,318 ERROR [org.apache.catalina.startup.ContextConfig] (main) Marking this application unavailable due to previous error(s)
2012-09-03 12:13:51,318 ERROR [org.apache.catalina.core.StandardContext] (main) Context [/jboss-negotiation-toolkit-2.0.3.SP1] startup failed due to previous errors
2012-09-03 12:13:51,321 ERROR [org.jboss.kernel.plugins.dependency.AbstractKernelController] (main) Error installing to Start: name=jboss.web.deployment:war=/jboss-negotiation-toolkit-2.0.3.SP1 state=Create mode=Manual requiredState=Installed
org.jboss.deployers.spi.DeploymentException: URL file:/appdata1/JBossInstaller/jboss-eap-5.1/jboss-as/server/default/deploy/jboss-negotiation-toolkit-2.0.3.SP1/ deployment failed
at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeployInternal(TomcatDeployment.java:334)

But at the end it ends with a simple error message - Cannot configure an authenticator for method SPNEGO.

Am I missing any obvious setting, which is not present in guide.

Has anyone come across such error/issue. Please let me know what could be the problem.

Thanks in advance,

Puneet

1. Re: Issue while implementing SPNEGO using Jboss Negotiation?

xds2000 Oct 24, 2012 8:18 PM (in response to puneet82)

please keep your jdk to 1.7
Actions

2. Re: Issue while implementing SPNEGO using Jboss Negotiation?

jcacek Nov 9, 2012 8:47 AM (in response to xds2000)

The problem will be related to the PicketLinkAuthenticator, which is referred from the war-deployers-jboss-beans.xml, but it's not on the classpath by default. It results in non-working other custom authenticators.

The issue is reported already: https://issues.jboss.org/browse/JBPAPP-9544

Workaround is to drop this entry from the configuration:

            <entry>
               <key>SECURITY_DOMAIN</key>
               <value>org.picketlink.identity.federation.bindings.tomcat.PicketLinkAuthenticator</value>
            </entry>

So the correct value of authenticators property can look like:

<property name="authenticators">
          <map class="java.util.Properties" keyClass="java.lang.String"
                    valueClass="java.lang.String">
                    <entry>
                              <key>BASIC</key>
                              <value>org.apache.catalina.authenticator.BasicAuthenticator</value>
                    </entry>
                    <entry>
                              <key>CLIENT-CERT</key>
                              <value>org.apache.catalina.authenticator.SSLAuthenticator</value>
                    </entry>
                    <entry>
                              <key>DIGEST</key>
                              <value>org.apache.catalina.authenticator.DigestAuthenticator</value>
                    </entry>
                    <entry>
                              <key>FORM</key>
                              <value>org.apache.catalina.authenticator.FormAuthenticator</value>
                    </entry>
                    <entry>
                              <key>NONE</key>
                              <value>org.apache.catalina.authenticator.NonLoginAuthenticator</value>
                    </entry>
                    <entry>
                              <key>SPNEGO</key>
                              <value>org.jboss.security.negotiation.NegotiationAuthenticator</value>
                    </entry>
          </map>
</property>

Go to original post