0 Replies Latest reply on Nov 27, 2013 11:27 AM by swoeste

    Kerberos security domain is not recognized

    swoeste Newbie

      Hi Everyone,

       

      I have a little problem with my security domain configuration and need some help from some more experienced users.

       

      My application consists of 2 WARs which are packed in 1 EAR.

      One of the 2 WARs, the authentication.war, should be configured to use the Krb5LoginModule.

       

      For JBoss 4 we added the following configuration to the login-config.xml:

       

      <application-policy name = "other">     
       <authentication>
          <login-module code="com.sun.security.auth.module.Krb5LoginModule" 
            flag="required">
            <module-option name="debug" value="true" />
            <module-option name="storeKey" value="true" />
          </login-module>
       </authentication>      
      </application-policy>
      

       

      With JBoss 4 this works quiet well even if it is not very nice that it is the "other" application-policy.

       

      For JBoss 6 I configured it like this:

       

      <security-domain name="other" cache-type="default">
          <authentication>
              <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
                  <module-option name="debug" value="true"/>
                  <module-option name="storeKey" value="true"/>
              </login-module>
              <login-module code="Remoting" flag="optional">
                  <module-option name="password-stacking" value="useFirstPass"/>
              </login-module>
              <login-module code="RealmDirect" flag="required">
                  <module-option name="password-stacking" value="useFirstPass"/>
              </login-module>
          </authentication>
      </security-domain>
      

       

      Which is also working quiet well BUT I don't want that it is in the security-domain other any more, so I have made some changes ...

       

      <security-domain name="KERBEROS-TEST" cache-type="default">
              <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
                  <module-option name="debug" value="true"/>
                  <module-option name="storeKey" value="true"/>
              </login-module>
      </security-domain>
      
      <security-domain name="other" cache-type="default">
          <authentication>
              <login-module code="Remoting" flag="optional">
                  <module-option name="password-stacking" value="useFirstPass"/>
              </login-module>
              <login-module code="RealmDirect" flag="required">
                  <module-option name="password-stacking" value="useFirstPass"/>
              </login-module>
          </authentication>
      </security-domain>
      

       

      ... and added a jboss-web.xml to my authentication.war:

       

      <jboss-web>  
        <security-domain>KERBEROS-TEST</security-domain>  
      </jboss-web>
      

       

      with this configuration it is not working any more.

       

      I think it ignores the KERBEROS-TEST security domain and directly goes to the other security-domain.

      If I have a look at the server.log I don't see any DEBUG output from Kerberos (I see a lot of it in the working configuration) and I think the module UsernamePasswordLoginModule is the one from the other security-domain.

       

      17:08:51,695 ERROR [stderr] (http-/0.0.0.0:8080-1) Caused by: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
      17:08:51,695 ERROR [stderr] (http-/0.0.0.0:8080-1) at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:293)
      17:08:51,695 ERROR [stderr] (http-/0.0.0.0:8080-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      17:08:51,695 ERROR [stderr] (http-/0.0.0.0:8080-1) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      17:08:51,695 ERROR [stderr] (http-/0.0.0.0:8080-1) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      

       

      Does anyone have a clue what is going wrong here or could give me an advise how I could further analyse the problem?

       

      Kind regards,

      Sebastian