5 Replies Latest reply on Apr 28, 2011 4:27 PM by Sarris Overbosch

    Integrating JBoss Negotiation with a seam application

    Sarris Overbosch Newbie

      Hi All,


      I've got the configuration of windows authentication working, used the toolkit to test it (this took some time because of network configuration issues). So now the next step is to get a seam based application working with the setup configured using the toolkit. The first problem I got was that I could not alter the auth-method in the web.xml, this can only contain BASIC, DIGEST, FORM or CLIENT-CERT, so the question is what value do I have to put in here (I tried BASIC which should be correct according to some source on the net). But this didn't even get the Authenticator filter to be activated, at least I didn't see no logging it was being accessed.  The next question is why didn't the Authenticator get involved, is this because the security-constraint part in the web.xml contains <auth-constraint/> (The toolkit has some roles defined in the web.xml)

      Another question to ask is if it is even possible to have the Authenticator in place when a seam application is developed, seam has it's own filtering in place so I decided to port the Authenticator to a seam web filter and this is working till the first step in the negotiation with the KDC (NegTokenInit message is send but never get to the NegTokenTarg messsage) and another thing which worries me is that this filter get called at least zeven times so the question arises will this ever work (probably it will because when the pricinpal is set I won't do any SPNEGO related stuff anymore)


      The bottomline of this story is if there is a resource (either person or example/tutorial) which described how to use JBoss Negotiation in conjunction with the Seam security framework? Or is this impossible?


      Hoping on quick reply from the cloud,



        • 1. Integrating JBoss Negotiation with a seam application
          Anil Saldanha Master

          You need this to be completed:  https://issues.jboss.org/browse/SEAMSECURITY-17


          Seam needs to leverage the end results of the Web Container authentication mechanism.

          • 2. Integrating JBoss Negotiation with a seam application
            Sarris Overbosch Newbie

            Hi Anil,


            True, but that will take some time before this will be solved by the community. I'm now trying to write my of filter using the negotiation project as an example and are at the moment trying to fetch the information which is collected by the login module and put it in the Identity so seam framework can use it. It takes some time to get it all to work because I'm not that knowledgeable about the security and filter stuff in the seam framework. But thanks for your reply.





            • 3. Integrating JBoss Negotiation with a seam application
              Sarris Overbosch Newbie

              So after a some hours of hard work I got it working, at least basically . I am now able to automatically login a user which is logged on to the domain and as long as the user goes to the context of the webapp it is working as soon as the user goes to the webapp using a bookmark then it fails.

              So http://jboss.server.com/appcontext will work but http://jboss.server.com/appcontext/pages/other/Main.seam will give the following stack trace and I am not sure what is causing this. Another issue it that when the user uses http://jboss.server.com/appcontext he/she will always end up at the login page and if you then use http://jboss.server.com/appcontext/pages/other/Main.seam you will end up on that requested page. So somewhere I am missing something/doing something wrong. Anybody who can help me on this issue????


              2011-04-15 17:26:22,041 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/application].[Faces Servlet]] (http- Servlet.service() for servlet Faces Servlet threw exception


                  at org.apache.catalina.connector.ResponseFacade.sendRedirect(ResponseFacade.java:435)

                  at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:272)

                  at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)

                  at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:388)

                  at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)

                  at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)

                  at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)

                  at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)

                  at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)

                  at org.jboss.seam.web.HotDeployFilter.doFilter(HotDeployFilter.java:53)

                  at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)

                  at com.company.web.framework.SpnegoFilter.doSPNEGOAuthorization(SpnegoFilter.java:137)

                  at com.company.web.framework.SpnegoFilter.doFilter(SpnegoFilter.java:51)

                  at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)

                  at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)

                  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

                  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

                  at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)

                  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

                  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

                  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)

                  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)

                  at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)

                  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)

                  at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)

                  at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)

                  at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)

                  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

                  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

                  at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)

                  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

                  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)

                  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)

                  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)

                  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)

                  at java.lang.Thread.run(Thread.java:662)

              • 4. Integrating JBoss Negotiation with a seam application
                Sarris Overbosch Newbie

                So to give a little status update on this, I've got it working at least on Windows XP it is working. Now the customer also uses Windows 7 with IE8 and this combination is failing to work. When debugging it seams like IE is not handling the WWW-Authenticate error response which is send to the browser and I am clueless at the moment as to what is causing this. So if anybody has a pointer in the right direction for me I would be extremely happy!

                • 5. Integrating JBoss Negotiation with a seam application
                  Sarris Overbosch Newbie

                  So one step closer, after a day of investigation I found that the "Network Security: Configure encryption types allowed for Kerberos" which is reachable through "Local Security Policy", which is part of the Administrative tools of Windows 7, didn't have any value. So I selected the RC4_HMAC_MD5 encryption type and now the negotiation goes further then the initial WWW-Authenticate: Negotiate step but now fails in the third step with on the server side the message:


                  java.io.IOException: Unexpected message type

                      at org.jboss.security.negotiation.spnego.encoding.NegTokenTargDecoder.decodeNegTokenTargSequence(NegTokenTargDecoder.java:111)

                      at org.jboss.security.negotiation.spnego.encoding.NegTokenTargDecoder.decode(NegTokenTargDecoder.java:126)

                      at org.jboss.security.negotiation.spnego.SPNEGOMessageFactory.createMessage(SPNEGOMessageFactory.java:73)

                      at org.jboss.security.negotiation.DelegatingMessageFactory.createMessage(DelegatingMessageFactory.java:61)

                      at com.raetsmarine.web.framework.SpnegoFilter.doSPNEGOAuthorization(SpnegoFilter.java:130)

                      at com.raetsmarine.web.framework.SpnegoFilter.doFilter(SpnegoFilter.java:61)



                  So is there anybody out there who had the same problem and knows the solution?