Kerberos security domain is not recognized
swoeste Nov 27, 2013 11:27 AMHi Everyone,
I have a little problem with my security domain configuration and need some help from some more experienced users.
My application consists of 2 WARs which are packed in 1 EAR.
One of the 2 WARs, the authentication.war, should be configured to use the Krb5LoginModule.
For JBoss 4 we added the following configuration to the login-config.xml:
<application-policy name = "other"> <authentication> <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required"> <module-option name="debug" value="true" /> <module-option name="storeKey" value="true" /> </login-module> </authentication> </application-policy>
With JBoss 4 this works quiet well even if it is not very nice that it is the "other" application-policy.
For JBoss 6 I configured it like this:
<security-domain name="other" cache-type="default"> <authentication> <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required"> <module-option name="debug" value="true"/> <module-option name="storeKey" value="true"/> </login-module> <login-module code="Remoting" flag="optional"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> <login-module code="RealmDirect" flag="required"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> </authentication> </security-domain>
Which is also working quiet well BUT I don't want that it is in the security-domain other any more, so I have made some changes ...
<security-domain name="KERBEROS-TEST" cache-type="default"> <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required"> <module-option name="debug" value="true"/> <module-option name="storeKey" value="true"/> </login-module> </security-domain> <security-domain name="other" cache-type="default"> <authentication> <login-module code="Remoting" flag="optional"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> <login-module code="RealmDirect" flag="required"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> </authentication> </security-domain>
... and added a jboss-web.xml to my authentication.war:
<jboss-web> <security-domain>KERBEROS-TEST</security-domain> </jboss-web>
with this configuration it is not working any more.
I think it ignores the KERBEROS-TEST security domain and directly goes to the other security-domain.
If I have a look at the server.log I don't see any DEBUG output from Kerberos (I see a lot of it in the working configuration) and I think the module UsernamePasswordLoginModule is the one from the other security-domain.
17:08:51,695 ERROR [stderr] (http-/0.0.0.0:8080-1) Caused by: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required 17:08:51,695 ERROR [stderr] (http-/0.0.0.0:8080-1) at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:293) 17:08:51,695 ERROR [stderr] (http-/0.0.0.0:8080-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 17:08:51,695 ERROR [stderr] (http-/0.0.0.0:8080-1) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 17:08:51,695 ERROR [stderr] (http-/0.0.0.0:8080-1) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
Does anyone have a clue what is going wrong here or could give me an advise how I could further analyse the problem?
Kind regards,
Sebastian
-
boot.log.zip 2.2 KB
-
server.log.zip 6.1 KB