2 Replies Latest reply on Nov 9, 2012 8:47 AM by Josef Cacek

    Issue while implementing SPNEGO using Jboss Negotiation?

    Puneet Kankane Newbie

      Hi,

       

      I am implementing "Integrated Windows Authentication" using SPNEGO in JBoss EAP 5.1.2 by referring Jboss Negotiation User Guide. I had completed all the tasks as mentioned in guide with basic SPNEGOLoginModule & UserRolesLoginModule configuration. I have deployed negotiation kit application to the server.

       

      While starting the server I am getting one liner Error as mentioned below:

       

       

        ERROR [org.apache.catalina.startup.ContextConfig] (main) Cannot configure an authenticator for method SPNEGO
      
      

       

      As mentioned in the guide, I had enabled TRACE. While starting to deploy the app I can see following log:

       

        2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) ctor, contextID=jboss-negotiation-toolkit-2.0.3.SP1
      2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebResourcePermission /Secured/*)
      2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToUncheckedPolicy, p=(javax.security.jacc.WebResourcePermission /Secured/*)
      2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToUncheckedPolicy, p=(javax.security.jacc.WebResourcePermission /Secured/*)
      2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToUncheckedPolicy, p=(javax.security.jacc.WebUserDataPermission /Secured/*)
      2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToUncheckedPolicy, p=(javax.security.jacc.WebUserDataPermission /Secured/*)
      2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToUncheckedPolicy, p=(javax.security.jacc.WebResourcePermission /:/Secured/*)
      2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToUncheckedPolicy, p=(javax.security.jacc.WebUserDataPermission /:/Secured/*)
      2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToUncheckedPolicy, p=(javax.security.jacc.WebUserDataPermission /)
      2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebRoleRefPermission BasicNegotiation HttpInvoker)
      2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebRoleRefPermission NTLMNegotiation HttpInvoker)
      2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebRoleRefPermission SecurityDomainTest HttpInvoker)
      2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebRoleRefPermission Secured HttpInvoker)
      2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebRoleRefPermission HttpInvoker)
      2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebRoleRefPermission BasicNegotiation HttpInvoker)
      2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebRoleRefPermission NTLMNegotiation HttpInvoker)
      2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebRoleRefPermission SecurityDomainTest HttpInvoker)
      2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebRoleRefPermission Secured HttpInvoker)
      2012-09-03 12:13:51,305 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) addToRole, roleName=HttpInvoker, p=(javax.security.jacc.WebRoleRefPermission HttpInvoker)
      2012-09-03 12:13:51,306 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] (main) commit:jboss-negotiation-toolkit-2.0.3.SP1
      2012-09-03 12:13:51,310 INFO [org.jboss.web.tomcat.service.deployers.TomcatDeployment] (main) deploy, ctxPath=/jboss-negotiation-toolkit-2.0.3.SP1
      2012-09-03 12:13:51,318 ERROR [org.apache.catalina.startup.ContextConfig] (main) Cannot configure an authenticator for method SPNEGO
      2012-09-03 12:13:51,318 ERROR [org.apache.catalina.startup.ContextConfig] (main) Marking this application unavailable due to previous error(s)
      2012-09-03 12:13:51,318 ERROR [org.apache.catalina.core.StandardContext] (main) Context [/jboss-negotiation-toolkit-2.0.3.SP1] startup failed due to previous errors
      2012-09-03 12:13:51,321 ERROR [org.jboss.kernel.plugins.dependency.AbstractKernelController] (main) Error installing to Start: name=jboss.web.deployment:war=/jboss-negotiation-toolkit-2.0.3.SP1 state=Create mode=Manual requiredState=Installed
      org.jboss.deployers.spi.DeploymentException: URL file:/appdata1/JBossInstaller/jboss-eap-5.1/jboss-as/server/default/deploy/jboss-negotiation-toolkit-2.0.3.SP1/ deployment failed
      at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeployInternal(TomcatDeployment.java:334)
      
      

       

      But at the end it ends with a simple error message - Cannot configure an authenticator for method SPNEGO.

       

      Am I missing any obvious setting, which is not present in guide.

       

      Has anyone come across such error/issue. Please let me know what could be the problem.

       

      Thanks in advance,

      Puneet

        • 2. Re: Issue while implementing SPNEGO using Jboss Negotiation?
          Josef Cacek Newbie

          The problem will be related to the PicketLinkAuthenticator, which is referred from the war-deployers-jboss-beans.xml, but it's not on the classpath by default. It results in non-working other custom authenticators.

           

          The issue is reported already: https://issues.jboss.org/browse/JBPAPP-9544

           

          Workaround is to drop this entry from the configuration:

           

                      <entry>
                         <key>SECURITY_DOMAIN</key>
                         <value>org.picketlink.identity.federation.bindings.tomcat.PicketLinkAuthenticator</value>
                      </entry>
          

           

          So the correct value of authenticators property can look like:

           

          <property name="authenticators">
                    <map class="java.util.Properties" keyClass="java.lang.String"
                              valueClass="java.lang.String">
                              <entry>
                                        <key>BASIC</key>
                                        <value>org.apache.catalina.authenticator.BasicAuthenticator</value>
                              </entry>
                              <entry>
                                        <key>CLIENT-CERT</key>
                                        <value>org.apache.catalina.authenticator.SSLAuthenticator</value>
                              </entry>
                              <entry>
                                        <key>DIGEST</key>
                                        <value>org.apache.catalina.authenticator.DigestAuthenticator</value>
                              </entry>
                              <entry>
                                        <key>FORM</key>
                                        <value>org.apache.catalina.authenticator.FormAuthenticator</value>
                              </entry>
                              <entry>
                                        <key>NONE</key>
                                        <value>org.apache.catalina.authenticator.NonLoginAuthenticator</value>
                              </entry>
                              <entry>
                                        <key>SPNEGO</key>
                                        <value>org.jboss.security.negotiation.NegotiationAuthenticator</value>
                              </entry>
                    </map>
          </property>