We are using Custom Kerberos Login Module in our application. Previously, on Jboss 5, it used to work fine.
But now, after migrating to Jboss EAP 6.1, it does not work. The only difference we made from the usual Krb5LoginModule is reading the Principal Name and keytab location from a file, rather than sending it as an option.
I tested the setup with sun's Krb5LoginModule instead of our own. It worked out perfectly. So, i copied the sun's Krb5LoginModule.java source and pasted it exactly as it was and then passed the same options to the Module, but no luck. When i open the browser and enter the SPN, it only shows me a 401 Unauthenticated page. It does not invoke the SPNEGO authentication. Here is my configuration
<security-domain name="host" cache-type="default"> <authentication> <login-module code="com.spnegotest.CustomKrb5LoginModule" flag="required"> <module-option name="storeKey" value="true"/> <module-option name="useKeyTab" value="true"/> <module-option name="principal" value="HTTP/test70.spnegotest.com"/> <module-option name="keyTab" value="E:/IWA/iwatest.keytab"/> <module-option name="doNotPrompt" value="true"/> <module-option name="debug" value="true"/> </login-module> </authentication> </security-domain>
However, if i change the
<login-module code="com.spnegotest.CustomKrb5LoginModule" flag="required">
to sun's Krb5LoginModule, it works fine.
<login-module code="Kerberos" flag="required">
The above piece of configuration works perfectly.
So, why am i getting the 401 authenticated with my piece of code, when it is an exact replica of the original Krb5LoginModule with only the class name and package changed ?
Also, with the debug option turned on, there are no debug messages logged, even the ones in the initialize method. So what is wrong with the configuration ?