1 Reply Latest reply on Jul 30, 2014 7:05 AM by johnburgess

    Login Module Not Working

    pradeepsixer

      We are using Custom Kerberos Login Module in our application. Previously, on Jboss 5, it used to work fine.

       

      But now, after migrating to Jboss EAP 6.1, it does not work. The only difference we made from the usual Krb5LoginModule is reading the Principal Name and keytab location from a file, rather than sending it as an option.

       

      I tested the setup with sun's Krb5LoginModule instead of our own. It worked out perfectly. So, i copied the sun's Krb5LoginModule.java source and pasted it exactly as it was and then passed the same options to the Module, but no luck. When i open the browser and enter the SPN, it only shows me a 401 Unauthenticated page. It does not invoke the SPNEGO authentication. Here is my configuration

       

                     <security-domain name="host" cache-type="default">
                          <authentication>
                              <login-module code="com.spnegotest.CustomKrb5LoginModule" flag="required">
                                  <module-option name="storeKey" value="true"/>
                                  <module-option name="useKeyTab" value="true"/>
                                  <module-option name="principal" value="HTTP/test70.spnegotest.com"/>
                                  <module-option name="keyTab" value="E:/IWA/iwatest.keytab"/>
                                  <module-option name="doNotPrompt" value="true"/>
                                  <module-option name="debug" value="true"/>
                              </login-module>
                          </authentication>
                      </security-domain>
      

      However, if i change the

       

      <login-module code="com.spnegotest.CustomKrb5LoginModule" flag="required">
      

       

      to sun's Krb5LoginModule, it works fine.

       

      <login-module code="Kerberos" flag="required">
      

       

      The above piece of configuration works perfectly.

      So, why am i getting the 401 authenticated with my piece of code, when it is an exact replica of the original Krb5LoginModule with only the class name and package changed ?

       

      Also, with the debug option turned on, there are no debug messages logged, even the ones in the initialize method. So what is wrong with the configuration ?

        • 1. Re: Login Module Not Working
          johnburgess

          We are also having problems with a custom login module not seeming to be called.  With a setup just like yours we noticed when the org.jboss.security logging was set to trace that it wasn't able to load the custom login module.  We fixed that by adding

          module="rdl.DigestLoginModule" where rdl.DigestLoginModule is the name of the module containing our login module.  After that we didn't see any messages about class not found.

           

          However, I'm afraid to say that it still seems to not be called.  I haven't as yet been able to find any reason for this.  If you could let us know anything you find out I'd be very grateful!