-
1. Re: Using Kerberos for Datasource Authentication
Start by using the 8.x branch, and try the following as a starting point
<security-domain name="DatabaseUser" cache-type="default"> <authentication> <login-module code="org.jboss.security.negotiation.KerberosLoginModule" flag="required" module="org.jboss.security.negotiation"> <module-option name="storeKey" value="true"/> <module-option name="useKeyTab" value="true"/> <module-option name="keyTab" value="value"/> <--- CHANGE <module-option name="principal" value="value"/> <--- CHANGE <module-option name="doNotPrompt" value="true"/> <module-option name="useTicketCache" value="true"/> <module-option name="debug" value="true"/> <module-option name="ticketCache" value="/tmp/krb"/> <module-option name="refreshKrb5Config" value="true"/> <module-option name="isInitiator" value="true"/> <module-option name="addGSSCredential" value="true"/> <module-option name="delegationCredential" value="USE"/> </login-module> </authentication> </security-domain>
for the security domain. Your datasource likely needs options too
-
2. Re: Using Kerberos for Datasource Authentication
First of all, thank you for your answer.
It took some time to create a keyTab file because its the customer infrastructure and some problems with a valid SPN and so on.
But now back to the configuration.
I inserted the lines you wrote for my database connection, but if i start our wildfly, i always get an exception (see some lines below).
First i thought the keyTab file is wrong, or the principal is wrong or something like that, but if i comment out the "keyTab" line and the "principal" line, i get exactly the same error.
Then i tried to rename the keyTab file if there would be a file not found error or something but actually im not sure if this option has any influence at all.
Do you have any suggestions?
What do you mean with my datasource likely needs options?
The connection-url has some special parameters which already worked for a connection with squirrel. Are there more?
Thank you in advance for your response!
Markus
We are using a Wildfly 8.0.0 Final release.
Here is the Exception.
2014-09-10 16:48:51,452 ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-3) Exception during createSubject()PBOX000016: Access denied: authentication failed: java.lang.SecurityException: PBOX000016: Access denied: authentication failed
at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84)
at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1184)
at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1179)
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]
at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1178)
at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:637)
at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:283)
at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:310)
at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:124)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]
at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]
And if i test the connection (with the admin interface), i get this error message:
2014-09-10 17:18:02,541 ERROR [org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject] (XNIO-1 task-7) IJ000614: Exception during createSubject() PBOX000016: Access denied: authentication failed: java.lang.SecurityException: PBOX000016: Access denied: authentication failed
at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84) [picketbox-4.0.20.Final.jar:4.0.20.Final]
at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject$1.run(PoolBySubject.java:130) [ironjacamar-core-impl-1.1.3.Final.jar:1.1.3.Final]
at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject$1.run(PoolBySubject.java:125) [ironjacamar-core-impl-1.1.3.Final.jar:1.1.3.Final]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]
at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject.createSubject(PoolBySubject.java:124) [ironjacamar-core-impl-1.1.3.Final.jar:1.1.3.Final]
at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject.testConnection(PoolBySubject.java:86) [ironjacamar-core-impl-1.1.3.Final.jar:1.1.3.Final]
at org.jboss.as.connector.subsystems.common.pool.PoolOperations$TestConnectionInPool.invokeCommandOn(PoolOperations.java:206) [wildfly-connector-8.0.0.Final.jar:8.0.0.Final]
at org.jboss.as.connector.subsystems.common.pool.PoolOperations$1.execute(PoolOperations.java:87) [wildfly-connector-8.0.0.Final.jar:8.0.0.Final]
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:591) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]
at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:469) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]
at org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:273) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]
at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:268) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]
at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:272) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]
at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:146) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]
at org.jboss.as.domain.http.server.DomainApiHandler.handleRequest(DomainApiHandler.java:169)
at org.jboss.as.domain.http.server.security.SubjectDoAsHandler$1.run(SubjectDoAsHandler.java:72)
at org.jboss.as.domain.http.server.security.SubjectDoAsHandler$1.run(SubjectDoAsHandler.java:68)
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]
at javax.security.auth.Subject.doAs(Subject.java:415) [rt.jar:1.7.0_51]
at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:94) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]
at org.jboss.as.domain.http.server.security.SubjectDoAsHandler.handleRequest(SubjectDoAsHandler.java:68)
at org.jboss.as.domain.http.server.security.SubjectDoAsHandler.handleRequest(SubjectDoAsHandler.java:63)
at io.undertow.server.handlers.BlockingHandler.handleRequest(BlockingHandler.java:50)
at org.jboss.as.domain.http.server.DomainApiCheckHandler.handleRequest(DomainApiCheckHandler.java:77)
at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:52)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:168)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:687)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]
at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]
2014-09-10 17:18:02,541 ERROR [org.jboss.as.controller.management-operation] (XNIO-1 task-7) JBAS014613: Operation ("test-connection-in-pool") failed - address: ([
("subsystem" => "datasources"),
("data-source" => "DSDatabase")
]) - failure description: "JBAS010440: failed to invoke operation: JBAS010447: Connection is not valid"
-
3. Re: Using Kerberos for Datasource Authentication
Build the WildFly 8.x branch, with IronJacamar 1.1.8-SNAPSHOT, and retry. WildFly 8.0 is too old.
-
4. Re: Using Kerberos for Datasource Authentication
Thank you for your really fast answer.
I think we will wait for the next stable release with IronJacamar >= 1.1.8.
Greetings
Markus
-
5. Re: Using Kerberos for Datasource Authentication
Just start with WildFly 8.x then. IJ 1.1.8 will likely be released later this month based on community feedback, then you can use http://www.ironjacamar.org/doc/userguide/1.1/en-US/html/ch03.html#installas
-
6. Re: Using Kerberos for Datasource Authentication
I am using wildfly 8.2 and seeing the following errors
==================================================
2014-12-12 15:12:43,071 WARN [org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject] (management-handler-thread - 1) IJ000604: Throwable while attempting to get a new connection: null: javax.resource.ResourceException: No matching credentials in Subject!
at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnectionFactory.getConnectionProperties(BaseWrapperManagedConnectionFactory.java:1166) [ironjacamar-jdbc-1.1.9.Final.jar:1.1.9.Final]
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:222) [ironjacamar-jdbc-1.1.9.Final.jar:1.1.9.Final]
at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.createConnectionEventListener(SemaphoreArrayListManagedConnectionPool.java:1166) [ironjacamar-core-impl-1.1.9.Final.jar:1.1.9.Final]
at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:446) [ironjacamar-core-impl-1.1.9.Final.jar:1.1.9.Final]
at org.jboss.jca.core.connectionmanager.pool.AbstractPool.internalTestConnection(AbstractPool.java:764) [ironjacamar-core-impl-1.1.9.Final.jar:1.1.9.Final]
at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject.testConnection(PoolBySubject.java:89) [ironjacamar-core-impl-1.1.9.Final.jar:1.1.9.Final]
at org.jboss.as.connector.subsystems.common.pool.PoolOperations$TestConnectionInPool.invokeCommandOn(PoolOperations.java:206) [wildfly-connector-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.connector.subsystems.common.pool.PoolOperations$1.execute(PoolOperations.java:87) [wildfly-connector-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:660) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:501) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:298) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:293) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:276) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:150) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:199) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$300(ModelControllerClientOperationHandler.java:130) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:150) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:146) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]
at javax.security.auth.Subject.doAs(Subject.java:415) [rt.jar:1.7.0_51]
at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:94) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:146) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]
at org.jboss.as.protocol.mgmt.AbstractMessageHandler$2$1.doExecute(AbstractMessageHandler.java:283)
at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:504)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]
at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]
at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.1.Final.jar:2.1.1.Final]
-
7. Re: Using Kerberos for Datasource Authentication
Are you sure that authentication was successful?
Do you use KerberosLoginModule from Jboss negotiation with property addGSSCredential=true?