7 Replies Latest reply on Jun 9, 2009 11:19 AM by Zhiyong Li

    JBoss/WinXP/SPNEGO, Kerberos MIT/unix, JGSS question?

    benjamin coiffe Newbie



      Hello,

      I deployed my app in a JBoss server hosted on a Windows XP machine. The Kerberos MIT server is hosted on a Unix machine and I configured the JBoss negotiation module as documented, it worked like a treat!
      The app deployed in JBoss is a multi-tier... and therefore my final goal is too achieve kerberos credential delegation. Unfortunately, I am sort of stuck right at the beginning because I can not get anything from the jGSS API and I am not sure I am using it well as I am new to this api...
      Anyway, after a successful SPNEGO authentication, I can not get anything more that what is displayed on the Secured Servlet in the jboss-negotiation-toolkit...I tried to get the GSSContext to enable delegation, tried to retrieve a TGT or Credentials.getDefaultCredentials() and none of these things worked.

      So if anybody has some code snippets to share, I would be grateful!
      For the time being, I copy paste the content of the logs demonstrating a successful authentication in case somebody sees something wrong:

      
      10:12:56,403 DEBUG [NegotiationAuthenticator] Header - null
      10:12:56,403 DEBUG [NegotiationAuthenticator] No Authorization Header, sending 401
      10:12:56,543 DEBUG [NegotiationAuthenticator] Header - Negotiate YIICcgYGKwYBBQUCoIICZjCCAmKgHzAdBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgKiggI9BIICOWCCAjUGCSqGSIb3EgECAgEAboICJDCCAiCgAwIBBaEDAgEOogcDBQAAAAAAo4IBNGGCATAwggEsoAMCAQWhEBsOSU5GT1JTRU5TRS5ORVSiKTAnoAMCAQOhIDAeGwRIVFRQGxZwY2hldW5nLmluZm9yc2Vuc2UubmV0o4HnMIHkoAMCARChAwIBBKKB1wSB1BykOkLMeW4IHdaVfKqh5SyX5Yt6yk/T0DTJ4r39UXnJKWM6AXj3rgLFDpVkpjDBzkx/ElGQ+ZxhcFpF+bU6hQWmD2rwnxLzXq0kWWsxwrYQdvoXNXPpnZAtRIfqA3WweXD29R1NHcKK0/bIFRh2RtdcE5t1T0NLQD3as2Ig/o/wmKZ/EuA/w0+h3+Uj2DxIVzif81myKBlfB9jKOI7SXJSi64TkWp6ZJHdeXjV0RCtcDAyrpovFv7BLq+zCBY7rw5fQp8Uw+DV8i/PxJ3hLHIMaHTCOpIHSMIHPoAMCARCigccEgcTwOIkWUfDAbBm8j70hqs0bdIOnB2fDUdLoI7Z41ZhZrorJh+37ClGkp+Tq6OirGZbf19bjxKAhUdGozIILrLxE6cNl+NJBYnuEyW9/A7uDgG1sHCsemXuC2ReKqxeTtr4bWOxZkZF34qKdtzCfMyT8DqnhgEcRAB3Kw3/b7ceugqNY3mu0O1zY3jaxK5+sqhUH8mFJzGsXnBiNsqt4Bacuqwq5kP3o4tsauTSfx/LDC4RA28Gl+izgO2+pIVzbQ3Ei+6V5
      10:12:56,621 DEBUG [NegotiationAuthenticator] Creating new NegotiationContext
      10:12:56,731 DEBUG [SPNEGOLoginModule] serverSecurityDomain=bcoiffe
      10:12:56,746 INFO [STDOUT] Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null KeyTab is C:/ECLIPSE_WORKSPACES/coral_fev2009/Kensington/jboss-4.2.2.GA/server/bcoiffe4.keytab refreshKrb5Config is false principal is HTTP/bcoiffe.company.net@COMPANY.NET tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      10:12:56,746 INFO [STDOUT] principal's key obtained from the keytab
      10:12:56,793 INFO [STDOUT] principal is HTTP/bcoiffe.company.net@COMPANY.NET
      10:12:56,840 INFO [STDOUT] Acquire TGT using AS Exchange
      10:12:56,840 INFO [STDOUT] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 88 34 EC E5 2B A3 04 3E 0C 63 55 EA 22 FB 28 BE .4..+..>.cU.".(.
      10:12:56,840 INFO [STDOUT] EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 5D FD 1C DF 6B 01 64 B6
      10:12:56,856 INFO [STDOUT] EncryptionKey: keyType=16 keyBytes (hex dump)=0000: FB F7 6D 9D C7 0E 8C 9D 29 D3 97 EF FB 91 8A 6B ..m.....)......k
      0010: DC 26 FB A4 04 8F E9 BF
      10:12:56,856 INFO [STDOUT] Added server's keyKerberos Principal HTTP/bcoiffe.company.net@COMPANY.NETKey Version 4key EncryptionKey: keyType=23 keyBytes (hex dump)=
      0000: 88 34 EC E5 2B A3 04 3E 0C 63 55 EA 22 FB 28 BE .4..+..>.cU.".(.
      10:12:56,856 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal HTTP/bcoiffe.company.net@COMPANY.NET to Subject
      10:12:56,856 INFO [STDOUT] Added server's keyKerberos Principal HTTP/bcoiffe.company.net@COMPANY.NETKey Version 4key EncryptionKey: keyType=1 keyBytes (hex dump)=
      0000: 5D FD 1C DF 6B 01 64 B6
      10:12:56,856 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal HTTP/bcoiffe.company.net@COMPANY.NET to Subject
      10:12:56,856 INFO [STDOUT] Added server's keyKerberos Principal HTTP/bcoiffe.company.net@COMPANY.NETKey Version 4key EncryptionKey: keyType=16 keyBytes (hex dump)=
      0000: FB F7 6D 9D C7 0E 8C 9D 29 D3 97 EF FB 91 8A 6B ..m.....)......k
      0010: DC 26 FB A4 04 8F E9 BF
      10:12:56,856 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal HTTP/bcoiffe.company.net@COMPANY.NET to Subject
      10:12:56,856 INFO [STDOUT] Commit Succeeded
      10:12:56,871 DEBUG [SPNEGOLoginModule] Subject = Subject:
       Principal: HTTP/bcoiffe.company.net@COMPANY.NET
       Private Credential: Ticket (hex) =
      0000: 61 82 01 0A 30 82 01 06 A0 03 02 01 05 A1 10 1B a...0...........
      0010: 0E 49 4E 46 4F 52 53 45 4E 53 45 2E 4E 45 54 A2 .COMPANY.NET.
      0020: 23 30 21 A0 03 02 01 00 A1 1A 30 18 1B 06 6B 72 #0!.......0...kr
      0030: 62 74 67 74 1B 0E 49 4E 46 4F 52 53 45 4E 53 45 btgt..COMPANY
      0040: 2E 4E 45 54 A3 81 C7 30 81 C4 A0 03 02 01 10 A1 .NET...0........
      0050: 03 02 01 01 A2 81 B7 04 81 B4 AC B4 8C 41 9E 06 .............A..
      0060: 75 FC 42 CC 8E D8 43 92 8E B8 CF C8 3B B2 4B 4B u.B...C.....;.KK
      0070: 59 D1 E0 5B 06 B7 C9 77 99 9D CE 79 2E 2E C0 FD Y..[...w...y....
      0080: 4C 60 4A F4 54 E4 AA 76 E1 F8 AE 97 05 67 7A FD L`J.T..v.....gz.
      0090: E6 EB E5 FF B0 82 A9 47 15 94 47 00 E9 11 8D DE .......G..G.....
      00A0: AB 9F 08 81 28 9F D9 F5 1D 64 3D 33 11 07 2B 46 ....(....d=3..+F
      00B0: B1 AC 7E 52 E3 A2 EE 76 79 E1 75 C2 30 40 9C FD ...R...vy.u.0@..
      00C0: 76 8A 50 04 A6 9C 1B 3D 53 FF 3F 0F BD 97 1C 22 v.P....=S.?...."
      00D0: 22 6D 51 64 68 83 85 BD 4E A8 2B 30 60 3A 87 5F "mQdh...N.+0`:._
      00E0: FB 48 95 FE A2 7B A0 E2 A5 90 AB B7 AE 1A 26 78 .H............&x
      00F0: 70 B2 E6 00 51 6B 9C C9 B9 9D E8 ED 07 EF E0 1B p...Qk..........
      0100: 93 A7 24 E7 C1 E7 E5 02 6B 14 8D F6 36 EA
      Client Principal = HTTP/bcoiffe.company.net@COMPANY.NET
      Server Principal = krbtgt/COMPANY.NET@COMPANY.NET
      Session Key = EncryptionKey: keyType=1 keyBytes (hex dump)=
      0000: 13 A4 A4 94 C1 F8 2F 1F
      
      Forwardable Ticket false
      Forwarded Ticket false
      Proxiable Ticket false
      Proxy Ticket false
      Postdated Ticket false
      Renewable Ticket false
      Initial Ticket false
      Auth Time = Sat Feb 21 10:12:49 GMT 2009
      Start Time = Sat Feb 21 10:12:49 GMT 2009
      End Time = Sat Feb 21 20:12:49 GMT 2009
      Renew Till = null
      Client Addresses Null
       Private Credential: Kerberos Principal HTTP/bcoiffe.company.net@COMPANY.NETKey Version 4key EncryptionKey: keyType=23 keyBytes (hex dump)=
      0000: 88 34 EC E5 2B A3 04 3E 0C 63 55 EA 22 FB 28 BE .4..+..>.cU.".(.
      
      
       Private Credential: Kerberos Principal HTTP/bcoiffe.company.net@COMPANY.NETKey Version 4key EncryptionKey: keyType=1 keyBytes (hex dump)=
      0000: 5D FD 1C DF 6B 01 64 B6
      
       Private Credential: Kerberos Principal HTTP/bcoiffe.company.net@COMPANY.NETKey Version 4key EncryptionKey: keyType=16 keyBytes (hex dump)=
      0000: FB F7 6D 9D C7 0E 8C 9D 29 D3 97 EF FB 91 8A 6B ..m.....)......k
      0010: DC 26 FB A4 04 8F E9 BF
      
      
      10:12:56,871 DEBUG [SPNEGOLoginModule] Logged in 'bcoiffe' LoginContext
      10:12:56,871 DEBUG [SPNEGOLoginModule] Creating new GSSContext.
      10:12:56,965 DEBUG [SPNEGOLoginModule] context.getCredDelegState() = false
      10:12:56,965 DEBUG [SPNEGOLoginModule] context.getMutualAuthState() = false
      10:12:56,965 DEBUG [SPNEGOLoginModule] context.getSrcName() = isense01@COMPANY.NET
      10:12:56,965 DEBUG [SPNEGOLoginModule] Storing username 'isense01@COMPANY.NET' and empty password
      10:12:56,965 INFO [STDOUT] [Krb5LoginModule]: Entering logout
      10:12:56,965 INFO [STDOUT] [Krb5LoginModule]: logged out Subject