Hi Everyone,

I have a little problem with my security domain configuration and need some help from some more experienced users.

My application consists of 2 WARs which are packed in 1 EAR.

One of the 2 WARs, the authentication.war, should be configured to use the Krb5LoginModule.

For JBoss 4 we added the following configuration to the login-config.xml:

<application-policy name = "other">     
 <authentication>
    <login-module code="com.sun.security.auth.module.Krb5LoginModule" 
      flag="required">
      <module-option name="debug" value="true" />
      <module-option name="storeKey" value="true" />
    </login-module>
 </authentication>      
</application-policy>

With JBoss 4 this works quiet well even if it is not very nice that it is the "other" application-policy.

For JBoss 6 I configured it like this:

<security-domain name="other" cache-type="default">
    <authentication>
        <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
            <module-option name="debug" value="true"/>
            <module-option name="storeKey" value="true"/>
        </login-module>
        <login-module code="Remoting" flag="optional">
            <module-option name="password-stacking" value="useFirstPass"/>
        </login-module>
        <login-module code="RealmDirect" flag="required">
            <module-option name="password-stacking" value="useFirstPass"/>
        </login-module>
    </authentication>
</security-domain>

Which is also working quiet well BUT I don't want that it is in the security-domain other any more, so I have made some changes ...

<security-domain name="KERBEROS-TEST" cache-type="default">
        <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
            <module-option name="debug" value="true"/>
            <module-option name="storeKey" value="true"/>
        </login-module>
</security-domain>

<security-domain name="other" cache-type="default">
    <authentication>
        <login-module code="Remoting" flag="optional">
            <module-option name="password-stacking" value="useFirstPass"/>
        </login-module>
        <login-module code="RealmDirect" flag="required">
            <module-option name="password-stacking" value="useFirstPass"/>
        </login-module>
    </authentication>
</security-domain>

... and added a jboss-web.xml to my authentication.war:

<jboss-web>  
  <security-domain>KERBEROS-TEST</security-domain>  
</jboss-web>

with this configuration it is not working any more.

I think it ignores the KERBEROS-TEST security domain and directly goes to the other security-domain.

If I have a look at the server.log I don't see any DEBUG output from Kerberos (I see a lot of it in the working configuration) and I think the module UsernamePasswordLoginModule is the one from the other security-domain.

17:08:51,695 ERROR [stderr] (http-/0.0.0.0:8080-1) Caused by: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
17:08:51,695 ERROR [stderr] (http-/0.0.0.0:8080-1) at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:293)
17:08:51,695 ERROR [stderr] (http-/0.0.0.0:8080-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
17:08:51,695 ERROR [stderr] (http-/0.0.0.0:8080-1) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
17:08:51,695 ERROR [stderr] (http-/0.0.0.0:8080-1) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

Does anyone have a clue what is going wrong here or could give me an advise how I could further analyse the problem?

Kind regards,

Sebastian