2 Replies Latest reply on Dec 9, 2014 8:08 PM by ke88yun

Datasource using Kerberos authentication

icemanltd May 17, 2013 12:09 AM

We are using SQLServer JDBC driver on Red Hat. By specifying -Djava.security.auth.login.config and -Djava.security.krb5.conf I am able log in to SQL Server using integratedSecurity and Kerberos authentication from a standalone test "app". Now I am trying to create a datasource in JBoss AS 7.1.1 which will authenticate in the same way. The connection URL is specified the same as it was in the standalone test. I have set the system propertoes to point to the same login module and krb5 configuration files. But this is not working.

Does anyone know how to configure a datasource for kerberos authentication in JBoss AS 7.1.1?

1. Re: Datasource using Kerberos authentication

ke88yun Dec 9, 2014 7:46 PM (in response to icemanltd)

I run into the exactly same situation.
I have a standalone java app which is working fine through Kerberos authentication to Postgres SQL database on linux platform.
However, it is not working when configuring JBOSS AS7 data source using Kerberos authentication. and it throws the following exception
================================================================================================
2014-12-09 16:03:29,077 WARN [org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject] (MSC service thread 1-6) IJ000604: Throwable while attempting to get a new connection: null: javax.resource.ResourceException: No matching credentials in Subject!
        at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnectionFactory.getConnectionProperties(BaseWrapperManagedConnectionFactory.java:1015)
        at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:211)
        at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.createConnectionEventListener(SemaphoreArrayListManagedConnectionPool.java:761)
        at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:343)
        at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:397)
        at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:365)
        at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:329)
        at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:368)
        at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:464)
        at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:129)
        at org.hibernate.ejb.connection.InjectedDataSourceConnectionProvider.getConnection(InjectedDataSourceConnectionProvider.java:67) [hibernate-entitymanager-4.0.1.Final.jar:4.0.1.Final]
        at org.hibernate.engine.jdbc.internal.JdbcServicesImpl$ConnectionProviderJdbcConnectionAccess.obtainConnection(JdbcServicesImpl.java:253) [hibernate-core-4.0.1.Final.jar:4.0.1.Final]
        at org.hibernate.engine.jdbc.internal.JdbcServicesImpl.configure(JdbcServicesImpl.java:119) [hibernate-core-4.0.1.Final.jar:4.0.1.Final]
        at org.hibernate.service.internal.StandardServiceRegistryImpl.configureService(StandardServiceRegistryImpl.java:75) [hibernate-core-4.0.1.Final.jar:4.0.1.Final]
        at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:159) [hibernate-core-4.0.1.Final.jar:4.0.1.Final]
        at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:131) [hibernate-core-4.0.1.Final.jar:4.0.1.Final]
        at org.hibernate.cfg.SettingsFactory.buildSettings(SettingsFactory.java:71) [hibernate-core-4.0.1.Final.jar:4.0.1.Final]
        at org.hibernate.cfg.Configuration.buildSettingsInternal(Configuration.java:2270) [hibernate-core-4.0.1.Final.jar:4.0.1.Final]
        at org.hibernate.cfg.Configuration.buildSettings(Configuration.java:2266) [hibernate-core-4.0.1.Final.jar:4.0.1.Final]
        at org.hibernate.cfg.Configuration.buildSessionFactory(Configuration.java:1735) [hibernate-core-4.0.1.Final.jar:4.0.1.Final]
        at org.hibernate.ejb.EntityManagerFactoryImpl.<init>(EntityManagerFactoryImpl.java:84) [hibernate-entitymanager-4.0.1.Final.jar:4.0.1.Final]
        at org.hibernate.ejb.Ejb3Configuration.buildEntityManagerFactory(Ejb3Configuration.java:904) [hibernate-entitymanager-4.0.1.Final.jar:4.0.1.Final]
        at org.hibernate.ejb.Ejb3Configuration.buildEntityManagerFactory(Ejb3Configuration.java:889) [hibernate-entitymanager-4.0.1.Final.jar:4.0.1.Final]
        at org.hibernate.ejb.HibernatePersistence.createContainerEntityManagerFactory(HibernatePersistence.java:73) [hibernate-entitymanager-4.0.1.Final.jar:4.0.1.Final]
        at org.jboss.as.jpa.service.PersistenceUnitServiceImpl.createContainerEntityManagerFactory(PersistenceUnitServiceImpl.java:162) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]
        at org.jboss.as.jpa.service.PersistenceUnitServiceImpl.start(PersistenceUnitServiceImpl.java:85) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]
        at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]
=========================================
By digging into the source code, it looks like it will never works.

The following is the call sequence
1. getConnectionProperties -> SubjectActions.addMatchingProperties
    http://grepcode.com/file/repository.jboss.org/nexus/content/repositories/releases/org.jboss.ironjacamar/ironjacamar-jdbc/1.0.9.Final/org/jboss/jca/adapters/jdbc/BaseWrapperManagedConnectionFactory.java/
      /**
       * Add matching properties
       * @param subject The subject
       * @param props The properties
       * @param mcf The managed connection factory
       * @return The result
       */
      static boolean addMatchingProperties(Subject subject, Properties props, ManagedConnectionFactory mcf)
      {
         SubjectActions action = new SubjectActions(subject, props, mcf);
         Boolean matched = AccessController.doPrivileged(action);
         return matched.booleanValue();
      }

2. SubjectActions.addMatchingProperties -> AccessController.doPrivileged(action);-> run method defined in SubjectActions class (which will always return Boolean.FALSE for kerberos scenario)
/**
    * SubjectActions
    */
   static class SubjectActions implements PrivilegedAction<Boolean>
   {
      ... <code omitted for simplicity>
      /**
       * Run
       * @return The result
       */
      public Boolean run()
      {
         Set<PasswordCredential> creds = subject.getPrivateCredentials(PasswordCredential.class);    <<< subject.getPrivateCredentials will return null when looking for PasswordCredential in kerberos scenario
         if (creds != null && creds.size() > 0)
         {
            for (PasswordCredential cred : creds)
            {
               if (cred.getManagedConnectionFactory().equals(mcf))
               {
                  props.setProperty("user", (cred.getUserName() == null) ? "" : cred.getUserName());
                  if (cred.getPassword() != null)
                     props.setProperty("password", new String(cred.getPassword()));
                  return Boolean.TRUE;
               }
            }
         }
         return Boolean.FALSE;
      }
Actions
2. Re: Datasource using Kerberos authentication

ke88yun Dec 9, 2014 8:08 PM (in response to ke88yun)

It seems that kerberos support has been added since ironjacamar 1.1.5-final and back ported to 1.0.25-final as well. See the following task id for detail.
https://issues.jboss.org/browse/JBJCA-1157
Actions

Go to original post