-
1. Re: Using Kerberos for Datasource Authentication
jesper.pedersen Aug 20, 2014 2:25 PM (in response to markusjboss123)Start by using the 8.x branch, and try the following as a starting point
<security-domain name="DatabaseUser" cache-type="default"> <authentication> <login-module code="org.jboss.security.negotiation.KerberosLoginModule" flag="required" module="org.jboss.security.negotiation"> <module-option name="storeKey" value="true"/> <module-option name="useKeyTab" value="true"/> <module-option name="keyTab" value="value"/> <--- CHANGE <module-option name="principal" value="value"/> <--- CHANGE <module-option name="doNotPrompt" value="true"/> <module-option name="useTicketCache" value="true"/> <module-option name="debug" value="true"/> <module-option name="ticketCache" value="/tmp/krb"/> <module-option name="refreshKrb5Config" value="true"/> <module-option name="isInitiator" value="true"/> <module-option name="addGSSCredential" value="true"/> <module-option name="delegationCredential" value="USE"/> </login-module> </authentication> </security-domain>
for the security domain. Your datasource likely needs options too
-
2. Re: Using Kerberos for Datasource Authentication
markusjboss123 Sep 10, 2014 11:27 AM (in response to jesper.pedersen)First of all, thank you for your answer.
It took some time to create a keyTab file because its the customer infrastructure and some problems with a valid SPN and so on.
But now back to the configuration.
I inserted the lines you wrote for my database connection, but if i start our wildfly, i always get an exception (see some lines below).
First i thought the keyTab file is wrong, or the principal is wrong or something like that, but if i comment out the "keyTab" line and the "principal" line, i get exactly the same error.
Then i tried to rename the keyTab file if there would be a file not found error or something but actually im not sure if this option has any influence at all.
Do you have any suggestions?
What do you mean with my datasource likely needs options?
The connection-url has some special parameters which already worked for a connection with squirrel. Are there more?
Thank you in advance for your response!
Markus
We are using a Wildfly 8.0.0 Final release.
Here is the Exception.
2014-09-10 16:48:51,452 ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-3) Exception during createSubject()PBOX000016: Access denied: authentication failed: java.lang.SecurityException: PBOX000016: Access denied: authentication failed
at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84)
at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1184)
at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1179)
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]
at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1178)
at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:637)
at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:283)
at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:310)
at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:124)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]
at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]
And if i test the connection (with the admin interface), i get this error message:
2014-09-10 17:18:02,541 ERROR [org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject] (XNIO-1 task-7) IJ000614: Exception during createSubject() PBOX000016: Access denied: authentication failed: java.lang.SecurityException: PBOX000016: Access denied: authentication failed
at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84) [picketbox-4.0.20.Final.jar:4.0.20.Final]
at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject$1.run(PoolBySubject.java:130) [ironjacamar-core-impl-1.1.3.Final.jar:1.1.3.Final]
at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject$1.run(PoolBySubject.java:125) [ironjacamar-core-impl-1.1.3.Final.jar:1.1.3.Final]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]
at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject.createSubject(PoolBySubject.java:124) [ironjacamar-core-impl-1.1.3.Final.jar:1.1.3.Final]
at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject.testConnection(PoolBySubject.java:86) [ironjacamar-core-impl-1.1.3.Final.jar:1.1.3.Final]
at org.jboss.as.connector.subsystems.common.pool.PoolOperations$TestConnectionInPool.invokeCommandOn(PoolOperations.java:206) [wildfly-connector-8.0.0.Final.jar:8.0.0.Final]
at org.jboss.as.connector.subsystems.common.pool.PoolOperations$1.execute(PoolOperations.java:87) [wildfly-connector-8.0.0.Final.jar:8.0.0.Final]
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:591) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]
at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:469) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]
at org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:273) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]
at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:268) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]
at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:272) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]
at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:146) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]
at org.jboss.as.domain.http.server.DomainApiHandler.handleRequest(DomainApiHandler.java:169)
at org.jboss.as.domain.http.server.security.SubjectDoAsHandler$1.run(SubjectDoAsHandler.java:72)
at org.jboss.as.domain.http.server.security.SubjectDoAsHandler$1.run(SubjectDoAsHandler.java:68)
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]
at javax.security.auth.Subject.doAs(Subject.java:415) [rt.jar:1.7.0_51]
at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:94) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]
at org.jboss.as.domain.http.server.security.SubjectDoAsHandler.handleRequest(SubjectDoAsHandler.java:68)
at org.jboss.as.domain.http.server.security.SubjectDoAsHandler.handleRequest(SubjectDoAsHandler.java:63)
at io.undertow.server.handlers.BlockingHandler.handleRequest(BlockingHandler.java:50)
at org.jboss.as.domain.http.server.DomainApiCheckHandler.handleRequest(DomainApiCheckHandler.java:77)
at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:52)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:168)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:687)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]
at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]
2014-09-10 17:18:02,541 ERROR [org.jboss.as.controller.management-operation] (XNIO-1 task-7) JBAS014613: Operation ("test-connection-in-pool") failed - address: ([
("subsystem" => "datasources"),
("data-source" => "DSDatabase")
]) - failure description: "JBAS010440: failed to invoke operation: JBAS010447: Connection is not valid"
-
3. Re: Using Kerberos for Datasource Authentication
jesper.pedersen Sep 10, 2014 11:39 AM (in response to markusjboss123)Build the WildFly 8.x branch, with IronJacamar 1.1.8-SNAPSHOT, and retry. WildFly 8.0 is too old.
-
4. Re: Using Kerberos for Datasource Authentication
markusjboss123 Sep 11, 2014 3:05 AM (in response to jesper.pedersen)Thank you for your really fast answer.
I think we will wait for the next stable release with IronJacamar >= 1.1.8.
Greetings
Markus
-
5. Re: Using Kerberos for Datasource Authentication
jesper.pedersen Sep 11, 2014 7:45 AM (in response to markusjboss123)Just start with WildFly 8.x then. IJ 1.1.8 will likely be released later this month based on community feedback, then you can use http://www.ironjacamar.org/doc/userguide/1.1/en-US/html/ch03.html#installas
-
6. Re: Using Kerberos for Datasource Authentication
ke88yun Dec 12, 2014 6:17 PM (in response to jesper.pedersen)I am using wildfly 8.2 and seeing the following errors
==================================================
2014-12-12 15:12:43,071 WARN [org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject] (management-handler-thread - 1) IJ000604: Throwable while attempting to get a new connection: null: javax.resource.ResourceException: No matching credentials in Subject!
at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnectionFactory.getConnectionProperties(BaseWrapperManagedConnectionFactory.java:1166) [ironjacamar-jdbc-1.1.9.Final.jar:1.1.9.Final]
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:222) [ironjacamar-jdbc-1.1.9.Final.jar:1.1.9.Final]
at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.createConnectionEventListener(SemaphoreArrayListManagedConnectionPool.java:1166) [ironjacamar-core-impl-1.1.9.Final.jar:1.1.9.Final]
at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:446) [ironjacamar-core-impl-1.1.9.Final.jar:1.1.9.Final]
at org.jboss.jca.core.connectionmanager.pool.AbstractPool.internalTestConnection(AbstractPool.java:764) [ironjacamar-core-impl-1.1.9.Final.jar:1.1.9.Final]
at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject.testConnection(PoolBySubject.java:89) [ironjacamar-core-impl-1.1.9.Final.jar:1.1.9.Final]
at org.jboss.as.connector.subsystems.common.pool.PoolOperations$TestConnectionInPool.invokeCommandOn(PoolOperations.java:206) [wildfly-connector-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.connector.subsystems.common.pool.PoolOperations$1.execute(PoolOperations.java:87) [wildfly-connector-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:660) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:501) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:298) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:293) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:276) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:150) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:199) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$300(ModelControllerClientOperationHandler.java:130) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:150) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:146) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]
at javax.security.auth.Subject.doAs(Subject.java:415) [rt.jar:1.7.0_51]
at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:94) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:146) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.protocol.mgmt.AbstractMessageHandler$2$1.doExecute(AbstractMessageHandler.java:283)
at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:504)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]
at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]
at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.1.Final.jar:2.1.1.Final]
-
7. Re: Using Kerberos for Datasource Authentication
simkam Dec 16, 2014 4:48 AM (in response to ke88yun)Are you sure that authentication was successful?
Do you use KerberosLoginModule from Jboss negotiation with property addGSSCredential=true?